php · symfony/security-httpCritical
symfony/security-http: DefaultAuthenticationFailureHandler ignores _failure_path when failure_forward is enabled
DefaultAuthenticationFailureHandler no longer honors the request-supplied _failure_path parameter when failure_forward is enabled.
What changed
DefaultAuthenticationFailureHandler no longer honors the request-supplied _failure_path parameter when failure_forward is enabled. The subrequest is always dispatched to the configured failure_path option.
Who it affects
Applications using Symfony's security-http component with form-login and failure_forward: true, especially those with broad access_control rules protecting administrative areas.
What to do today
Update symfony/security-http to the patched version (commit c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff for branch 5.4) or apply the patch manually.
The trail
Collected→
Audited→
Written→
Published