[Security] The described Guard authenticator is vulnerable to modified form input types

[fsalmen-nx]

Hello,

the described Guard authenticator https://symfony.com/doc/current/security/form_login_setup.html fails for modified form input types. For example if i use curl to submit a form with an array instead of a string i get a HTTP 500 response. I would await an HTTP 400 here.

curl 'http://symfony.dev/login' \
  -H 'Cookie: PHPSESSID=...' \
  --data-raw 'username%5B0%5D=foo&password=bar&_csrf_token=...' \
  --compressed

<!-- Argument 1 passed to Symfony\Bridge\Doctrine\Security\User\EntityUserProvider::loadUserByUsername() must be of the type string, array given, called in src/Security/LoginFormAuthenticator.php

It looks like his problem will be fixed with the release of Symfony 6 with the new Symfony\Component\HttpFoundation\InputBag but until this it is still a possible problem.

If desired I could open a pull request with a type check.

[javiereguiluz]

Closing in favor of #15908, a meta-issue that groups all pending security-related issues so we can easily check them.