🌐 AI搜索 & 代理 主页
Skip to content

[Security] Throw when passing an empty string as $userIdentifier and tighten AuthenticatorManager and OidcTokenHandler arguments #61183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Jul 21, 2025
Merged

[Security] Throw when passing an empty string as $userIdentifier and tighten AuthenticatorManager and OidcTokenHandler arguments #61183

nicolas-grekas merged 1 commit into from
Jul 21, 2025

Conversation

@nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Jul 21, 2025

Q A
Branch? 8.0
Bug fix? no
New feature? yes
Deprecations? no
Issues
License MIT

@nicolas-grekas
[Security] Throw when passing an empty string as $userIdentifier and …
f599e20 
…tighten AuthenticatorManager and OidcTokenHandler arguments
@nicolas-grekas nicolas-grekas requested a review from chalasr as a code owner July 21, 2025 12:50
@carsonbot carsonbot added this to the 8.0 milestone Jul 21, 2025
@nicolas-grekas nicolas-grekas merged commit 000ade9 into symfony:8.0 Jul 21, 2025
2 of 9 checks passed
@nicolas-grekas nicolas-grekas mentioned this pull request Jul 21, 2025
Closed
@nicolas-grekas nicolas-grekas deleted the sec-http-drop branch July 21, 2025 16:12
@fabpot fabpot mentioned this pull request Oct 27, 2025
Merged
@yoeunes yoeunes mentioned this pull request Nov 23, 2025
Merged
nicolas-grekas added a commit that referenced this pull request Nov 24, 2025
@nicolas-grekas
bug #62487 [Security] Fix UserBadge validation bypass via identifie…
bbc8aab 
…r normalizer (yoeunes)

This PR was merged into the 7.3 branch.

Discussion
----------

[Security] Fix `UserBadge` validation bypass via identifier normalizer

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

The `UserBadge` constructor validates that the identifier is not empty and does not exceed `MAX_USERNAME_LENGTH`.

However, when using `$identifierNormalizer`, the normalized identifier is computed lazily in `getUserIdentifier()` without validation. This allows normalizers to return invalid values:

```php
// This correctly triggers a deprecation in the constructor
new UserBadge('');

// This currently bypasses validation and returns an empty string
$badge = new UserBadge('valid_input', null, null, fn() => '');
$badge->getUserIdentifier();
```

Related to #51744 and #61183

I targeted `7.3` as it introduced `identifierNormalizer`, please let me know if I should target `8.0` or `8.1` instead.

Commits
-------

e4a759d [Security] Fix UserBadge validation bypass via identifier normalizer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Feature Security Status: Reviewed

Projects

None yet

Milestone

8.0

Development

Successfully merging this pull request may close these issues.

3 participants

@nicolas-grekas @alexandre-daubois @carsonbot