-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
Description
Symfony version(s) affected
6.1.2
Description
When login_check is requested and the request parameters are missing (user, hash, expires) it throws 500 exceptions as verifySignatureHash method needs 3 not null parameters .
How to reproduce
Implement LoginLink and then request login via link:
https://mydomain.eu/login_check?amp%3Bexpires=1669158801&%3Bhash=YTU2NzdiNjE3ZGZhZRTHJH5678c1ODcyOTAyNDc0MzhiFiZmRlOWRjMjE4NDhhOGE4ZDcxNjU5OTUzNw%3D%3D%7CYTg5Y2JlNjY4MmQxZWU0M...5lc3M&user=myemail%40example.com
You see that here all parameters are provided but actually they are not. Due to some weird solution in our client's corporation when they get an email with the link, their inner security solution encodes ampersand to amp%3B
. This makes those parameters obsolete.
Possible Solution
We should check in vendor/symfony/security-http/LoginLink/LoginLinkHandler.php:92
if those parameters are not null and if yes, then throw an exception that can by handled.
Additional Context
Uncaught Error: Symfony\Component\Security\Core\Signature\SignatureHasher::verifySignatureHash(): Argument #2 ($expires) must be of type int, null given, called in /vendor/symfony/security-http/LoginLink/LoginLinkHandler.php on line 96