bug #32703 Ensure $request->hasSession() is always checked before calling getSession() (Arman-Hosseini)

nicolas-grekas · nicolas-grekas · commit 5824ab8cdd01 · 2019-07-30T16:34:19.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- Ensure $request->hasSession() is always checked before calling getSession() | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Commits ------- 7b2c326 Ensure $request->hasSession() is always checked before calling getSession()
diff --git a/src/Symfony/Bridge/Twig/AppVariable.php b/src/Symfony/Bridge/Twig/AppVariable.php
@@ -112,10 +112,9 @@ public function getSession()
         if (null === $this->requestStack) {
             throw new \RuntimeException('The "app.session" variable is not available.');
         }
+        $request = $this->getRequest();
 
-        if ($request = $this->getRequest()) {
-            return $request->getSession();
-        }
+        return $request && $request->hasSession() ? $request->getSession() : null;
     }
 
     /**
@@ -157,8 +156,7 @@ public function getDebug()
     public function getFlashes($types = null)
     {
         try {
-            $session = $this->getSession();
-            if (null === $session) {
+            if (null === $session = $this->getSession()) {
                 return [];
             }
         } catch (\RuntimeException $e) {
diff --git a/src/Symfony/Bridge/Twig/Tests/AppVariableTest.php b/src/Symfony/Bridge/Twig/Tests/AppVariableTest.php
@@ -51,6 +51,7 @@ public function testEnvironment()
     public function testGetSession()
     {
         $request = $this->getMockBuilder('Symfony\Component\HttpFoundation\Request')->getMock();
+        $request->method('hasSession')->willReturn(true);
         $request->method('getSession')->willReturn($session = new Session());
 
         $this->setRequestStack($request);
@@ -267,6 +268,7 @@ private function setFlashMessages($sessionHasStarted = true)
         $session->method('getFlashBag')->willReturn($flashBag);
 
         $request = $this->getMockBuilder('Symfony\Component\HttpFoundation\Request')->getMock();
+        $request->method('hasSession')->willReturn(true);
         $request->method('getSession')->willReturn($session);
         $this->setRequestStack($request);
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Templating/GlobalVariables.php b/src/Symfony/Bundle/FrameworkBundle/Templating/GlobalVariables.php
@@ -75,9 +75,9 @@ public function getRequest()
      */
     public function getSession()
     {
-        if ($request = $this->getRequest()) {
-            return $request->getSession();
-        }
+        $request = $this->getRequest();
+
+        return $request && $request->hasSession() ? $request->getSession() : null;
     }
 
     /**
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php b/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
@@ -123,7 +123,7 @@ public function toolbarAction(Request $request, $token)
             throw new NotFoundHttpException('The profiler must be enabled.');
         }
 
-        if ($request->hasSession() && ($session = $request->getSession()) && $session->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {
+        if ($request->hasSession() && ($session = $request->getSession())->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {
             // keep current flashes for one more request if using AutoExpireFlashBag
             $session->getFlashBag()->setAll($session->getFlashBag()->peekAll());
         }
diff --git a/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php b/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
@@ -88,8 +88,7 @@ public function onKernelResponse(FilterResponseEvent $event)
         }
 
         if ($response->headers->has('X-Debug-Token') && $response->isRedirect() && $this->interceptRedirects && 'html' === $request->getRequestFormat()) {
-            $session = $request->getSession();
-            if (null !== $session && $session->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {
+            if ($request->hasSession() && ($session = $request->getSession())->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {
                 // keep current flashes for one more request if using AutoExpireFlashBag
                 $session->getFlashBag()->setAll($session->getFlashBag()->peekAll());
             }
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php
@@ -46,8 +46,7 @@ public function onKernelRequest(GetResponseEvent $event)
         }
 
         // bootstrap the session
-        $session = $this->getSession();
-        if (!$session) {
+        if (!$session = $this->getSession()) {
             return;
         }
 
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php
@@ -30,8 +30,8 @@ public function onKernelResponse(FilterResponseEvent $event)
             return;
         }
 
-        $session = $event->getRequest()->getSession();
-        if ($session && $session->isStarted()) {
+        $request = $event->getRequest();
+        if ($request->hasSession() && ($session = $request->getSession())->isStarted()) {
             $session->save();
         }
     }
diff --git a/src/Symfony/Component/Security/Http/Authentication/AuthenticationUtils.php b/src/Symfony/Component/Security/Http/Authentication/AuthenticationUtils.php
@@ -38,12 +38,11 @@ public function __construct(RequestStack $requestStack)
     public function getLastAuthenticationError($clearSession = true)
     {
         $request = $this->getRequest();
-        $session = $request->getSession();
         $authenticationException = null;
 
         if ($request->attributes->has(Security::AUTHENTICATION_ERROR)) {
             $authenticationException = $request->attributes->get(Security::AUTHENTICATION_ERROR);
-        } elseif (null !== $session && $session->has(Security::AUTHENTICATION_ERROR)) {
+        } elseif ($request->hasSession() && ($session = $request->getSession())->has(Security::AUTHENTICATION_ERROR)) {
             $authenticationException = $session->get(Security::AUTHENTICATION_ERROR);
 
             if ($clearSession) {
@@ -65,9 +64,7 @@ public function getLastUsername()
             return $request->attributes->get(Security::LAST_USERNAME, '');
         }
 
-        $session = $request->getSession();
-
-        return null === $session ? '' : $session->get(Security::LAST_USERNAME, '');
+        return $request->hasSession() ? $request->getSession()->get(Security::LAST_USERNAME, '') : '';
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -90,7 +90,7 @@ public function __invoke(RequestEvent $event)
         }
 
         $request = $event->getRequest();
-        $session = $request->hasPreviousSession() ? $request->getSession() : null;
+        $session = $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
 
         if (null === $session || null === $token = $session->get($this->sessionKey)) {
             $this->tokenStorage->setToken(null);
@@ -137,14 +137,14 @@ public function onKernelResponse(FilterResponseEvent $event)
 
         $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this, 'onKernelResponse']);
         $this->registered = false;
-        $session = $request->getSession();
+        $token = $this->tokenStorage->getToken();
 
-        if ((null === $token = $this->tokenStorage->getToken()) || $this->trustResolver->isAnonymous($token)) {
-            if ($request->hasPreviousSession()) {
-                $session->remove($this->sessionKey);
+        if (null === $token || $this->trustResolver->isAnonymous($token)) {
+            if ($request->hasPreviousSession() && $request->hasSession()) {
+                $request->getSession()->remove($this->sessionKey);
             }
         } else {
-            $session->set($this->sessionKey, serialize($token));
+            $request->getSession()->set($this->sessionKey, serialize($token));
 
             if (null !== $this->logger) {
                 $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);

Original file line number	Diff line number	Diff line change
`@@ -112,10 +112,9 @@ public function getSession()`
`112`	`112`	`if (null === $this->requestStack) {`
`113`	`113`	`throw new \RuntimeException('The "app.session" variable is not available.');`
`114`	`114`	`}`
	`115`	`+ $request = $this->getRequest();`
`115`	`116`
`116`		`- if ($request = $this->getRequest()) {`
`117`		`- return $request->getSession();`
`118`		`- }`
	`117`	`+ return $request && $request->hasSession() ? $request->getSession() : null;`
`119`	`118`	`}`
`120`	`119`
`121`	`120`	`/**`
`@@ -157,8 +156,7 @@ public function getDebug()`
`157`	`156`	`public function getFlashes($types = null)`
`158`	`157`	`{`
`159`	`158`	`try {`
`160`		`- $session = $this->getSession();`
`161`		`- if (null === $session) {`
	`159`	`+ if (null === $session = $this->getSession()) {`
`162`	`160`	`return [];`
`163`	`161`	`}`
`164`	`162`	`} catch (\RuntimeException $e) {`
Original file line number	Diff line number	Diff line change
`@@ -75,9 +75,9 @@ public function getRequest()`
`75`	`75`	`*/`
`76`	`76`	`public function getSession()`
`77`	`77`	`{`
`78`		`- if ($request = $this->getRequest()) {`
`79`		`- return $request->getSession();`
`80`		`- }`
	`78`	`+ $request = $this->getRequest();`
	`79`	`+`
	`80`	`+ return $request && $request->hasSession() ? $request->getSession() : null;`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ public function toolbarAction(Request $request, $token)`
`123`	`123`	`throw new NotFoundHttpException('The profiler must be enabled.');`
`124`	`124`	`}`
`125`	`125`
`126`		`- if ($request->hasSession() && ($session = $request->getSession()) && $session->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {`
	`126`	`+ if ($request->hasSession() && ($session = $request->getSession())->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {`
`127`	`127`	`// keep current flashes for one more request if using AutoExpireFlashBag`
`128`	`128`	`$session->getFlashBag()->setAll($session->getFlashBag()->peekAll());`
`129`	`129`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,8 +88,7 @@ public function onKernelResponse(FilterResponseEvent $event)`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`if ($response->headers->has('X-Debug-Token') && $response->isRedirect() && $this->interceptRedirects && 'html' === $request->getRequestFormat()) {`
`91`		`- $session = $request->getSession();`
`92`		`- if (null !== $session && $session->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {`
	`91`	`+ if ($request->hasSession() && ($session = $request->getSession())->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {`
`93`	`92`	`// keep current flashes for one more request if using AutoExpireFlashBag`
`94`	`93`	`$session->getFlashBag()->setAll($session->getFlashBag()->peekAll());`
`95`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,7 @@ public function onKernelRequest(GetResponseEvent $event)`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`// bootstrap the session`
`49`		`- $session = $this->getSession();`
`50`		`- if (!$session) {`
	`49`	`+ if (!$session = $this->getSession()) {`
`51`	`50`	`return;`
`52`	`51`	`}`
`53`	`52`
Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,8 @@ public function onKernelResponse(FilterResponseEvent $event)`
`30`	`30`	`return;`
`31`	`31`	`}`
`32`	`32`
`33`		`- $session = $event->getRequest()->getSession();`
`34`		`- if ($session && $session->isStarted()) {`
	`33`	`+ $request = $event->getRequest();`
	`34`	`+ if ($request->hasSession() && ($session = $request->getSession())->isStarted()) {`
`35`	`35`	`$session->save();`
`36`	`36`	`}`
`37`	`37`	`}`