Skip to content

Commit b559c5f

Browse files
fabpotfabpot
committed
Merge branch '2.3' into 2.7
* 2.3: limited the maximum length of a submitted username
2 parents 8c16bf9 + 3e460b4 commit b559c5f

File tree

2 files changed

+10
-0
lines changed

2 files changed

+10
-0
lines changed

Firewall/SimpleFormAuthenticationListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
2525
use Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface;
2626
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
27+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2728
use Symfony\Component\Security\Core\Security;
2829
use Symfony\Component\Security\Http\HttpUtils;
2930
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
@@ -116,6 +117,10 @@ protected function attemptAuthentication(Request $request)
116117
$password = $request->get($this->options['password_parameter'], null, true);
117118
}
118119

120+
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
121+
throw new BadCredentialsException('Invalid username.');
122+
}
123+
119124
$request->getSession()->set(Security::LAST_USERNAME, $username);
120125

121126
$token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);

Firewall/UsernamePasswordFormAuthenticationListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
2525
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
2626
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
27+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2728
use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
2829
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
2930
use Symfony\Component\Security\Core\Security;
@@ -91,6 +92,10 @@ protected function attemptAuthentication(Request $request)
9192
$password = $request->get($this->options['password_parameter'], null, true);
9293
}
9394

95+
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
96+
throw new BadCredentialsException('Invalid username.');
97+
}
98+
9499
$request->getSession()->set(Security::LAST_USERNAME, $username);
95100

96101
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));

0 commit comments

Comments
 (0)