Merge branch '2.3' into 2.7

fabpot · fabpot · commit d657834bd0b4 · 2015-10-05T17:17:54.000+02:00
* 2.3:
  [Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
  [ci] Use current PHP_BINARY when running ./phpunit
  Fixed typos
  [UPGRADE-3.0] fix bullet indentation
  [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md
@@ -299,17 +299,18 @@ UPGRADE FROM 2.x to 3.0
    ```php
    echo $form->getErrors(true, false);
    ```
-   * The `Symfony\Component\Form\Extension\Core\ChoiceList\ChoiceList` class has been removed in
-     favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
 
-   * The `Symfony\Component\Form\Extension\Core\ChoiceList\LazyChoiceList` class has been removed in
-     favor of `Symfony\Component\Form\ChoiceList\LazyChoiceList`.
+ * The `Symfony\Component\Form\Extension\Core\ChoiceList\ChoiceList` class has been removed in
+   favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
 
-   * The `Symfony\Component\Form\Extension\Core\ChoiceList\ObjectChoiceList` class has been removed in
-     favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
+ * The `Symfony\Component\Form\Extension\Core\ChoiceList\LazyChoiceList` class has been removed in
+   favor of `Symfony\Component\Form\ChoiceList\LazyChoiceList`.
 
-   * The `Symfony\Component\Form\Extension\Core\ChoiceList\SimpleChoiceList` class has been removed in
-     favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
+ * The `Symfony\Component\Form\Extension\Core\ChoiceList\ObjectChoiceList` class has been removed in
+   favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
+
+ * The `Symfony\Component\Form\Extension\Core\ChoiceList\SimpleChoiceList` class has been removed in
+   favor of `Symfony\Component\Form\ChoiceList\ArrayChoiceList`.
 
 ### FrameworkBundle
 
diff --git a/phpunit b/phpunit
@@ -6,12 +6,26 @@ use Symfony\Component\Process\ProcessUtils;
 error_reporting(-1);
 require __DIR__.'/src/Symfony/Component/Process/ProcessUtils.php';
 
-$PHPUNIT_VERSION = '4.8';
+// PHPUnit 4.8 does not support PHP 7, while 5.0 requires PHP 5.6+
+$PHPUNIT_VERSION = PHP_VERSION_ID >= 70000 ? '5.0' : '4.8';
 $PHPUNIT_DIR = __DIR__.'/.phpunit';
+$PHP = defined('PHP_BINARY') ? PHP_BINARY : 'php';
+
+if (!file_exists($COMPOSER = __DIR__.'/composer.phar')) {
+    $COMPOSER = rtrim('\\' === DIRECTORY_SEPARATOR ? `where.exe composer.phar` : (`which composer.phar` ?: `which composer`));
+    if (!file_exists($COMPOSER)) {
+        stream_copy_to_stream(
+            fopen('https://getcomposer.org/composer.phar', 'rb'),
+            fopen($COMPOSER = __DIR__.'/composer.phar', 'wb')
+        );
+    }
+}
 
-// PHPUnit 4.8 does not support PHP 7, while 5.0 requires PHP 5.6+
-if (PHP_VERSION_ID >= 70000) {
-    $PHPUNIT_VERSION = '5.0';
+$PHP = ProcessUtils::escapeArgument($PHP);
+$COMPOSER = $PHP.' '.ProcessUtils::escapeArgument($COMPOSER);
+
+if (!(isset($argv[1]) && 'install' === $argv[1]) && !file_exists(__DIR__.'/vendor')) {
+    passthru("$COMPOSER update --no-progress --ansi");
 }
 
 if (!file_exists("$PHPUNIT_DIR/phpunit-$PHPUNIT_VERSION/phpunit")) {
@@ -30,8 +44,8 @@ if (!file_exists("$PHPUNIT_DIR/phpunit-$PHPUNIT_VERSION/phpunit")) {
     $zip->extractTo(getcwd());
     $zip->close();
     chdir("phpunit-$PHPUNIT_VERSION");
-    passthru("composer remove --no-update symfony/yaml");
-    passthru("composer install --prefer-source --no-progress --ansi");
+    passthru("$COMPOSER remove --no-update symfony/yaml");
+    passthru("$COMPOSER install --prefer-source --no-progress --ansi");
     chdir($oldPwd);
 }
 
@@ -42,7 +56,7 @@ if (isset($argv[1]) && 'symfony' === $argv[1]) {
     array_shift($cmd);
 }
 
-$cmd[0] = "php $PHPUNIT_DIR/phpunit-$PHPUNIT_VERSION/phpunit --colors=always";
+$cmd[0] = sprintf('%s %s --colors=always', $PHP, ProcessUtils::escapeArgument("$PHPUNIT_DIR/phpunit-$PHPUNIT_VERSION/phpunit"));
 $cmd = str_replace('%', '%%', implode(' ', $cmd)).' %1$s';
 
 $phpIniMatrix = isset($_SERVER['PHP_INI_MATRIX']) ? explode(' ', $_SERVER['PHP_INI_MATRIX']) : array();
@@ -52,7 +66,7 @@ if ($phpIniMatrix) {
         exit(1);
     }
 
-    $phpDir = dirname(`where.exe php`);
+    $phpDir = ProcessUtils::escapeArgument(dirname(`where.exe php`));
 
     $newCmd = 'cmd /v:on /d /c "(SET X=0';
     foreach ($phpIniMatrix as $iniFile) {
diff --git a/src/Symfony/Bridge/Doctrine/HttpFoundation/DbalSessionHandler.php b/src/Symfony/Bridge/Doctrine/HttpFoundation/DbalSessionHandler.php
@@ -160,9 +160,9 @@ public function write($sessionId, $data)
                 $mergeStmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
                 $mergeStmt->bindValue(':time', time(), \PDO::PARAM_INT);
 
-                //Oracle has a bug that will intermitently happen if you
-                //have only 1 bind on a CLOB field for 2 different statements
-                //(INSERT and UPDATE in this case)
+                // Oracle has a bug that will intermittently happen if you
+                // have only 1 bind on a CLOB field for 2 different statements
+                // (INSERT and UPDATE in this case)
                 if ('oracle' == $this->con->getDatabasePlatform()->getName()) {
                     $mergeStmt->bindParam(':data2', $encoded, \PDO::PARAM_STR);
                 }
diff --git a/src/Symfony/Bundle/FrameworkBundle/Translation/PhpExtractor.php b/src/Symfony/Bundle/FrameworkBundle/Translation/PhpExtractor.php
@@ -90,7 +90,7 @@ protected function normalizeToken($token)
     /**
      * Seeks to a non-whitespace token.
      */
-    private function seekToNextReleventToken(\Iterator $tokenIterator)
+    private function seekToNextRelevantToken(\Iterator $tokenIterator)
     {
         for (; $tokenIterator->valid(); $tokenIterator->next()) {
             $t = $tokenIterator->current();
@@ -153,7 +153,7 @@ protected function parseTokens($tokens, MessageCatalogue $catalog)
                 $tokenIterator->seek($key);
 
                 foreach ($sequence as $item) {
-                    $this->seekToNextReleventToken($tokenIterator);
+                    $this->seekToNextRelevantToken($tokenIterator);
 
                     if ($this->normalizeToken($tokenIterator->current()) == $item) {
                         $tokenIterator->next();
diff --git a/src/Symfony/Component/Security/Core/Tests/User/InMemoryUserProviderTest.php b/src/Symfony/Component/Security/Core/Tests/User/InMemoryUserProviderTest.php
@@ -18,18 +18,39 @@ class InMemoryUserProviderTest extends \PHPUnit_Framework_TestCase
 {
     public function testConstructor()
     {
-        $provider = new InMemoryUserProvider(array(
+        $provider = $this->createProvider();
+
+        $user = $provider->loadUserByUsername('fabien');
+        $this->assertEquals('foo', $user->getPassword());
+        $this->assertEquals(array('ROLE_USER'), $user->getRoles());
+        $this->assertFalse($user->isEnabled());
+    }
+
+    public function testRefresh()
+    {
+        $user = new User('fabien', 'bar');
+
+        $provider = $this->createProvider();
+
+        $refreshedUser = $provider->refreshUser($user);
+        $this->assertEquals('foo', $refreshedUser->getPassword());
+        $this->assertEquals(array('ROLE_USER'), $refreshedUser->getRoles());
+        $this->assertFalse($refreshedUser->isEnabled());
+        $this->assertFalse($refreshedUser->isCredentialsNonExpired());
+    }
+
+    /**
+     * @return InMemoryUserProvider
+     */
+    protected function createProvider()
+    {
+        return new InMemoryUserProvider(array(
             'fabien' => array(
                 'password' => 'foo',
                 'enabled' => false,
                 'roles' => array('ROLE_USER'),
             ),
         ));
-
-        $user = $provider->loadUserByUsername('fabien');
-        $this->assertEquals('foo', $user->getPassword());
-        $this->assertEquals(array('ROLE_USER'), $user->getRoles());
-        $this->assertFalse($user->isEnabled());
     }
 
     public function testCreateUser()
diff --git a/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php b/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php
@@ -67,17 +67,9 @@ public function createUser(UserInterface $user)
      */
     public function loadUserByUsername($username)
     {
-        if (!isset($this->users[strtolower($username)])) {
-            $ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
-            $ex->setUsername($username);
-
-            throw $ex;
-        }
+        $user = $this->getUser($username);
 
-        $user = $this->users[strtolower($username)];
-
-        return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(),
-                $user->isCredentialsNonExpired(), $user->isAccountNonLocked());
+        return new User($user->getUsername(), $user->getPassword(), $user->getRoles(), $user->isEnabled(), $user->isAccountNonExpired(), $user->isCredentialsNonExpired(), $user->isAccountNonLocked());
     }
 
     /**
@@ -89,7 +81,9 @@ public function refreshUser(UserInterface $user)
             throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
         }
 
-        return $this->loadUserByUsername($user->getUsername());
+        $storedUser = $this->getUser($user->getUsername());
+
+        return new User($storedUser->getUsername(), $storedUser->getPassword(), $storedUser->getRoles(), $storedUser->isEnabled(), $storedUser->isAccountNonExpired(), $storedUser->isCredentialsNonExpired() && $storedUser->getPassword() === $user->getPassword(), $storedUser->isAccountNonLocked());
     }
 
     /**
@@ -99,4 +93,25 @@ public function supportsClass($class)
     {
         return $class === 'Symfony\Component\Security\Core\User\User';
     }
+
+    /**
+     * Returns the user by given username.
+     *
+     * @param  string $username The username.
+     *
+     * @return User
+     *
+     * @throws UsernameNotFoundException If user whose given username does not exist.
+     */
+    private function getUser($username)
+    {
+        if (!isset($this->users[strtolower($username)])) {
+            $ex = new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
+            $ex->setUsername($username);
+
+            throw $ex;
+        }
+
+        return $this->users[strtolower($username)];
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php
@@ -293,7 +293,7 @@ protected function cancelCookie(Request $request)
             $this->logger->debug('Clearing remember-me cookie.', array('name' => $this->options['name']));
         }
 
-        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain']));
+        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/AbstractRememberMeServicesTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/AbstractRememberMeServicesTest.php
@@ -82,16 +82,35 @@ public function testAutoLogin()
         $this->assertSame('fookey', $returnedToken->getProviderKey());
     }
 
-    public function testLogout()
+    /**
+     * @dataProvider provideOptionsForLogout
+     */
+    public function testLogout(array $options)
     {
-        $service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
+        $service = $this->getService(null, $options);
         $request = new Request();
         $response = new Response();
         $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
 
         $service->logout($request, $response, $token);
 
-        $this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
+        $cookie = $request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME);
+
+        $this->assertInstanceOf('Symfony\Component\HttpFoundation\Cookie', $cookie);
+        $this->assertTrue($cookie->isCleared());
+        $this->assertSame($options['name'], $cookie->getName());
+        $this->assertSame($options['path'], $cookie->getPath());
+        $this->assertSame($options['domain'], $cookie->getDomain());
+        $this->assertSame($options['secure'], $cookie->isSecure());
+        $this->assertSame($options['httponly'], $cookie->isHttpOnly());
+    }
+
+    public function provideOptionsForLogout()
+    {
+        return array(
+            array(array('name' => 'foo', 'path' => '/', 'domain' => null, 'secure' => false, 'httponly' => true)),
+            array(array('name' => 'foo', 'path' => '/bar', 'domain' => 'baz.com', 'secure' => true, 'httponly' => false)),
+        );
     }
 
     public function testLoginFail()
@@ -267,6 +286,13 @@ protected function getService($userProvider = null, $options = array(), $logger
             $userProvider = $this->getProvider();
         }
 
+        if (!isset($options['secure'])) {
+            $options['secure'] = false;
+        }
+        if (!isset($options['httponly'])) {
+            $options['httponly'] = true;
+        }
+
         return $this->getMockForAbstractClass('Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices', array(
             array($userProvider), 'fookey', 'fookey', $options, $logger,
         ));
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php
@@ -180,7 +180,7 @@ public function testAutoLogin()
 
     public function testLogout()
     {
-        $service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo'));
+        $service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo', 'secure' => true, 'httponly' => false));
         $request = new Request();
         $request->cookies->set('foo', $this->encodeCookie(array('fooseries', 'foovalue')));
         $response = new Response();
@@ -201,6 +201,8 @@ public function testLogout()
         $this->assertTrue($cookie->isCleared());
         $this->assertEquals('/foo', $cookie->getPath());
         $this->assertEquals('foodomain.foo', $cookie->getDomain());
+        $this->assertTrue($cookie->isSecure());
+        $this->assertFalse($cookie->isHttpOnly());
     }
 
     public function testLogoutSimplyIgnoresNonSetRequestCookie()
@@ -311,6 +313,13 @@ protected function getService($userProvider = null, $options = array(), $logger
             $userProvider = $this->getProvider();
         }
 
+        if (!isset($options['secure'])) {
+            $options['secure'] = false;
+        }
+        if (!isset($options['httponly'])) {
+            $options['httponly'] = true;
+        }
+
         return new PersistentTokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger, new SecureRandom(sys_get_temp_dir().'/_sf2.seed'));
     }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/TokenBasedRememberMeServicesTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/TokenBasedRememberMeServicesTest.php
@@ -153,7 +153,7 @@ public function provideUsernamesForAutoLogin()
 
     public function testLogout()
     {
-        $service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
+        $service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null, 'secure' => true, 'httponly' => false));
         $request = new Request();
         $response = new Response();
         $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
@@ -164,6 +164,8 @@ public function testLogout()
         $this->assertTrue($cookie->isCleared());
         $this->assertEquals('/', $cookie->getPath());
         $this->assertNull($cookie->getDomain());
+        $this->assertTrue($cookie->isSecure());
+        $this->assertFalse($cookie->isHttpOnly());
     }
 
     public function testLoginFail()
@@ -264,6 +266,13 @@ protected function getService($userProvider = null, $options = array(), $logger
             $userProvider = $this->getProvider();
         }
 
+        if (!isset($options['secure'])) {
+            $options['secure'] = false;
+        }
+        if (!isset($options['httponly'])) {
+            $options['httponly'] = true;
+        }
+
         $service = new TokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger);
 
         return $service;

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,7 @@ protected function cancelCookie(Request $request)`
`293`	`293`	`$this->logger->debug('Clearing remember-me cookie.', array('name' => $this->options['name']));`
`294`	`294`	`}`
`295`	`295`
`296`		`- $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain']));`
	`296`	`+ $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`/**`