Skip to content

[Security] Fix UserBadge validation bypass via identifier normalizer #62487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Nov 24, 2025
Merged

[Security] Fix UserBadge validation bypass via identifier normalizer #62487

nicolas-grekas merged 1 commit into from
Nov 24, 2025
+38 −7

Conversation

@yoeunes
Copy link
Contributor

@yoeunes yoeunes commented Nov 23, 2025
edited
Loading

Q A
Branch? 7.3
Bug fix? yes
New feature? no
Deprecations? no
Issues -
License MIT

The UserBadge constructor validates that the identifier is not empty and does not exceed MAX_USERNAME_LENGTH.

However, when using $identifierNormalizer, the normalized identifier is computed lazily in getUserIdentifier() without validation. This allows normalizers to return invalid values:

// This correctly triggers a deprecation in the constructor
new UserBadge(''); 

// This currently bypasses validation and returns an empty string
$badge = new UserBadge('valid_input', null, null, fn() => ''); 
$badge->getUserIdentifier();

Related to #51744 and #61183

I targeted 7.3 as it introduced identifierNormalizer, please let me know if I should target 8.0 or 8.1 instead.

@yoeunes yoeunes requested a review from chalasr as a code owner November 23, 2025 02:13
@carsonbot carsonbot added this to the 7.3 milestone Nov 23, 2025
@yoeunes yoeunes force-pushed the security-user-badge-normalization branch from de51e46 to e4a759d Compare November 23, 2025 02:26
@OskarStark OskarStark changed the title [Security] Fix UserBadge validation bypass via identifier normalizer [Security] Fix UserBadge validation bypass via identifier normalizer Nov 23, 2025
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Nov 24, 2025

Thank you @yoeunes.

@nicolas-grekas nicolas-grekas merged commit bbc8aab into symfony:7.3 Nov 24, 2025
11 checks passed
@fabpot fabpot mentioned this pull request Nov 27, 2025
Merged
This was referenced Dec 7, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OskarStark OskarStark OskarStark left review comments

@stof stof stof approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Bug Security Status: Reviewed

Projects

None yet

Milestone

7.3

Development

Successfully merging this pull request may close these issues.

5 participants

@yoeunes @nicolas-grekas @stof @OskarStark @carsonbot