Skip to content

[Security][LoginLink] Request missing parameters throws 500 #48291

@thomas2411

Description

@thomas2411

Symfony version(s) affected

6.1.2

Description

When login_check is requested and the request parameters are missing (user, hash, expires) it throws 500 exceptions as verifySignatureHash method needs 3 not null parameters .

How to reproduce

Implement LoginLink and then request login via link:
https://mydomain.eu/login_check?amp%3Bexpires=1669158801&amp%3Bhash=YTU2NzdiNjE3ZGZhZRTHJH5678c1ODcyOTAyNDc0MzhiFiZmRlOWRjMjE4NDhhOGE4ZDcxNjU5OTUzNw%3D%3D%7CYTg5Y2JlNjY4MmQxZWU0M...5lc3M&user=myemail%40example.com

You see that here all parameters are provided but actually they are not. Due to some weird solution in our client's corporation when they get an email with the link, their inner security solution encodes ampersand to amp%3B. This makes those parameters obsolete.

Possible Solution

We should check in vendor/symfony/security-http/LoginLink/LoginLinkHandler.php:92 if those parameters are not null and if yes, then throw an exception that can by handled.

Additional Context

Uncaught Error: Symfony\Component\Security\Core\Signature\SignatureHasher::verifySignatureHash(): Argument #2 ($expires) must be of type int, null given, called in /vendor/symfony/security-http/LoginLink/LoginLinkHandler.php on line 96

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions