security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured

fabpot · fabpot · commit e1f817ffe25c · 2018-05-24T15:24:06.000+02:00
* cve-2018-11408-3.3: [SecurityBundle] Fail if security.http_utils cannot be configured
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
@@ -26,14 +26,15 @@ class AddSessionDomainConstraintPass implements CompilerPassInterface
      */
     public function process(ContainerBuilder $container)
     {
-        if (!$container->hasParameter('session.storage.options') || !$container->has('security.http_utils')) {
+        if (!$container->hasParameter('session.storage.options')) {
             return;
         }
 
         $sessionOptions = $container->getParameter('session.storage.options');
         $domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
         $domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;
 
+        // if the service doesn't exist, an exception must be thrown - ignoring would put security at risk
         $container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -60,7 +60,7 @@ public function build(ContainerBuilder $container)
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());
         $container->addCompilerPass(new AddSecurityVotersPass());
-        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_AFTER_REMOVING);
+        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);
         $container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
@@ -96,6 +96,19 @@ public function testNoSession()
         $this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://pirate.com/foo'));
     }
 
+    /**
+     * @expectedException \Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException
+     * @expectedExceptionMessage You have requested a non-existent service "security.http_utils".
+     */
+    public function testNoHttpUtils()
+    {
+        $container = new ContainerBuilder();
+        $container->setParameter('session.storage.options', array());
+
+        $pass = new AddSessionDomainConstraintPass();
+        $pass->process($container);
+    }
+
     private function createContainer($sessionStorageOptions)
     {
         $container = new ContainerBuilder();

Original file line number	Diff line number	Diff line change
`@@ -26,14 +26,15 @@ class AddSessionDomainConstraintPass implements CompilerPassInterface`
`26`	`26`	`*/`
`27`	`27`	`public function process(ContainerBuilder $container)`
`28`	`28`	`{`
`29`		`- if (!$container->hasParameter('session.storage.options') \|\| !$container->has('security.http_utils')) {`
	`29`	`+ if (!$container->hasParameter('session.storage.options')) {`
`30`	`30`	`return;`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`$sessionOptions = $container->getParameter('session.storage.options');`
`34`	`34`	`$domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s\|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));`
`35`	`35`	`$domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;`
`36`	`36`
	`37`	`+ // if the service doesn't exist, an exception must be thrown - ignoring would put security at risk`
`37`	`38`	`$container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));`
`38`	`39`	`}`
`39`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ public function build(ContainerBuilder $container)`
`60`	`60`	`$extension->addUserProviderFactory(new InMemoryFactory());`
`61`	`61`	`$extension->addUserProviderFactory(new LdapFactory());`
`62`	`62`	`$container->addCompilerPass(new AddSecurityVotersPass());`
`63`		`- $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_AFTER_REMOVING);`
	`63`	`+ $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);`
`64`	`64`	`$container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());`
`65`	`65`	`}`
`66`	`66`	`}`