[Security] fixes a bug where authentication errors might have leaked confidential information

src/Symfony/Component/Security/Core/Exception/AuthenticationException.php

@@ -16,7 +16,7 @@ namespace Symfony\Component\Security\Core\Exception;
  *
  * @author Fabien Potencier <fabien.potencier@symfony-project.com>
  */
-class AuthenticationException extends \RuntimeException
+class AuthenticationException extends \RuntimeException implements \Serializable
 {
     protected $extraInformation;
 
@@ -36,4 +36,26 @@ class AuthenticationException extends \RuntimeException
     {
         $this->extraInformation = $extraInformation;
     }
+
+    public function serialize()
+    {
+        return serialize(array(
+            $this->extraInformation,
+            $this->code,
+            $this->message,
+            $this->file,
+            $this->line,
+        ));
+    }
+
+    public function unserialize($str)
+    {
+        list(
+            $this->extraInformation,
+            $this->code,
+            $this->message,
+            $this->file,
+            $this->line
+        ) = unserialize($str);
+    }
 }

src/Symfony/Component/Security/Http/Authentication/AuthenticationFailureHandlerInterface.php

@@ -2,6 +2,7 @@
 
 namespace Symfony\Component\Security\Http\Authentication;
 
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\EventDispatcher\EventInterface;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -21,12 +22,12 @@ interface AuthenticationFailureHandlerInterface
      * called by authentication listeners inheriting from
      * AbstractAuthenticationListener.
      *
-     * @param EventInterface $event the "core.security" event, this event always
-     *                              has the kernel as target
-     * @param Request        $request
-     * @param \Exception     $exception
+     * @param EventInterface          $event the "core.security" event, this event always
+     *                                       has the kernel as target
+     * @param Request                 $request
+     * @param AuthenticationException $exception
      *
      * @return Response the response to return
      */
-    function onAuthenticationFailure(EventInterface $event, Request $request, \Exception $exception);
+    function onAuthenticationFailure(EventInterface $event, Request $request, AuthenticationException $exception);
 }

src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php

@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Http\Firewall;
 
 use Symfony\Component\EventDispatcher\Event;
-
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
@@ -173,7 +172,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
         return $this->options['check_path'] === $request->getPathInfo();
     }
 
-    protected function onFailure($event, Request $request, \Exception $failed)
+    protected function onFailure($event, Request $request, AuthenticationException $failed)
     {
         if (null !== $this->logger) {
             $this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
@@ -195,7 +194,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
             }
 
             $subRequest = Request::create($this->options['failure_path']);
-            $subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
+            $subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
 
             return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
         } else {
@@ -203,7 +202,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
                 $this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
             }
 
-            $request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
+            $request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
 
             $response = new Response();
             $response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);