Merge branch '4.4'

* 4.4:
  [Console] Constant STDOUT might be undefined.
  Add missing conflict with symfony/serializer <4.4
  Allow returning null from NormalizerInterface::normalize
  bumped Symfony version to 4.4.0
  updated VERSION for 4.4.0-BETA1
  updated CHANGELOG for 4.4.0-BETA1
  [Security\Core] throw AccessDeniedException when switch user fails
  [Mime] fix guessing mime-types of files with leading dash
  [HttpFoundation] fix guessing mime-types of files with leading dash
  [VarExporter] fix exporting some strings
  [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
  Use constant time comparison in UriSigner

Author: nicolas-grekas

Firewall/SwitchUserListener.php

@@ -101,7 +101,8 @@ public function __invoke(RequestEvent $event)
             try {
                 $this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));
             } catch (AuthenticationException $e) {
-                throw new \LogicException(sprintf('Switch User failed: "%s"', $e->getMessage()));
+                // Generate 403 in any conditions to prevent user enumeration vulnerabilities
+                throw new AccessDeniedException('Switch User failed: '.$e->getMessage(), $e);
             }
         }
 
@@ -133,7 +134,24 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
             throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
         }
 
-        $user = $this->provider->loadUserByUsername($username);
+        $currentUsername = $token->getUsername();
+        $nonExistentUsername = '_'.md5(random_bytes(8).$username);
+
+        // To protect against user enumeration via timing measurements
+        // we always load both successfully and unsuccessfully
+        try {
+            $user = $this->provider->loadUserByUsername($username);
+
+            try {
+                $this->provider->loadUserByUsername($nonExistentUsername);
+                throw new \LogicException('AuthenticationException expected');
+            } catch (AuthenticationException $e) {
+            }
+        } catch (AuthenticationException $e) {
+            $this->provider->loadUserByUsername($currentUsername);
+
+            throw $e;
+        }
 
         if (false === $this->accessDecisionManager->decide($token, [$this->role], $user)) {
             $exception = new AccessDeniedException();

Tests/Firewall/SwitchUserListenerTest.php

@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Http\Event\SwitchUserEvent;
 use Symfony\Component\Security\Http\Firewall\SwitchUserListener;
@@ -157,6 +158,7 @@ public function testSwitchUserIsDisallowed()
     {
         $this->expectException('Symfony\Component\Security\Core\Exception\AccessDeniedException');
         $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);
+        $user = new User('username', 'password', []);
 
         $this->tokenStorage->setToken($token);
         $this->request->query->set('_switch_user', 'kuba');
@@ -165,6 +167,31 @@ public function testSwitchUserIsDisallowed()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'])
             ->willReturn(false);
 
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
+
+        $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
+        $listener($this->event);
+    }
+
+    public function testSwitchUserTurnsAuthenticationExceptionTo403()
+    {
+        $this->expectException('Symfony\Component\Security\Core\Exception\AccessDeniedException');
+        $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_ALLOWED_TO_SWITCH']);
+
+        $this->tokenStorage->setToken($token);
+        $this->request->query->set('_switch_user', 'kuba');
+
+        $this->accessDecisionManager->expects($this->never())
+            ->method('decide');
+
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'], ['username'])
+            ->will($this->onConsecutiveCalls($this->throwException(new UsernameNotFoundException())));
+
         $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
         $listener($this->event);
     }
@@ -181,9 +208,10 @@ public function testSwitchUser()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'], $user)
             ->willReturn(true);
 
-        $this->userProvider->expects($this->once())
-            ->method('loadUserByUsername')->with('kuba')
-            ->willReturn($user);
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
         $this->userChecker->expects($this->once())
             ->method('checkPostAuth')->with($user);
 
@@ -207,9 +235,10 @@ public function testSwitchUserWorksWithFalsyUsernames()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'])
             ->willReturn(true);
 
-        $this->userProvider->expects($this->once())
-            ->method('loadUserByUsername')->with('0')
-            ->willReturn($user);
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['0'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
         $this->userChecker->expects($this->once())
             ->method('checkPostAuth')->with($user);
 
@@ -237,9 +266,10 @@ public function testSwitchUserKeepsOtherQueryStringParameters()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'], $user)
             ->willReturn(true);
 
-        $this->userProvider->expects($this->once())
-            ->method('loadUserByUsername')->with('kuba')
-            ->willReturn($user);
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
         $this->userChecker->expects($this->once())
             ->method('checkPostAuth')->with($user);
 
@@ -265,9 +295,10 @@ public function testSwitchUserWithReplacedToken()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'], $user)
             ->willReturn(true);
 
-        $this->userProvider->expects($this->any())
-            ->method('loadUserByUsername')->with('kuba')
-            ->willReturn($user);
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
 
         $dispatcher = $this->getMockBuilder(EventDispatcherInterface::class)->getMock();
         $dispatcher
@@ -312,9 +343,10 @@ public function testSwitchUserStateless()
             ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'], $user)
             ->willReturn(true);
 
-        $this->userProvider->expects($this->once())
-            ->method('loadUserByUsername')->with('kuba')
-            ->willReturn($user);
+        $this->userProvider->expects($this->exactly(2))
+            ->method('loadUserByUsername')
+            ->withConsecutive(['kuba'])
+            ->will($this->onConsecutiveCalls($user, $this->throwException(new UsernameNotFoundException())));
         $this->userChecker->expects($this->once())
             ->method('checkPostAuth')->with($user);