bug #35239 [Security\Http] Prevent canceled remember-me cookie from being accepted (chalasr)

nicolas-grekas · nicolas-grekas · commit fd19bd781673 · 2020-01-08T18:02:00.000+01:00
This PR was merged into the 3.4 branch. Discussion ---------- [Security\Http] Prevent canceled remember-me cookie from being accepted | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #35198 | License | MIT | Doc PR | - `RememberMeServices::autoLogin()` only checks that the cookie exists in `$request->cookies` while `loginFail()` only alter `$request->attributes` (which allows child implementations to read the canceled cookie for e.g. removing a persistent one). This makes `autoLogin()` checks for `request->attributes` first, which fixes the linked issue. Failure expected on deps=high build. Commits ------- 9b711b8 [Security] Prevent canceled remember-me cookie from being accepted
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/ClearRememberMeTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/ClearRememberMeTest.php
@@ -33,7 +33,7 @@ public function testUserChangeClearsCookie()
         $this->assertNotNull($cookieJar->get('REMEMBERME'));
 
         $client->request('GET', '/foo');
-        $this->assertSame(200, $client->getResponse()->getStatusCode());
+        $this->assertRedirect($client->getResponse(), '/login');
         $this->assertNull($cookieJar->get('REMEMBERME'));
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
@@ -19,7 +19,7 @@
         "php": "^5.5.9|>=7.0.8",
         "ext-xml": "*",
         "symfony/config": "~3.4|~4.0",
-        "symfony/security": "~3.4.36|~4.3.9|^4.4.1",
+        "symfony/security": "~3.4.37|~4.3.10|^4.4.3",
         "symfony/dependency-injection": "^3.4.3|^4.0.3",
         "symfony/http-kernel": "~3.4|~4.0",
         "symfony/polyfill-php70": "~1.0"
diff --git a/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php
@@ -99,6 +99,10 @@ public function getSecret()
      */
     final public function autoLogin(Request $request)
     {
+        if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
+            return null;
+        }
+
         if (null === $cookie = $request->cookies->get($this->options['name'])) {
             return null;
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/AbstractRememberMeServicesTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/AbstractRememberMeServicesTest.php
@@ -39,6 +39,17 @@ public function testAutoLoginReturnsNullWhenNoCookie()
         $this->assertNull($service->autoLogin(new Request()));
     }
 
+    public function testAutoLoginReturnsNullAfterLoginFail()
+    {
+        $service = $this->getService(null, ['name' => 'foo', 'path' => null, 'domain' => null]);
+
+        $request = new Request();
+        $request->cookies->set('foo', 'foo');
+
+        $service->loginFail($request);
+        $this->assertNull($service->autoLogin($request));
+    }
+
     /**
      * @group legacy
      */

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ public function testUserChangeClearsCookie()`
`33`	`33`	`$this->assertNotNull($cookieJar->get('REMEMBERME'));`
`34`	`34`
`35`	`35`	`$client->request('GET', '/foo');`
`36`		`- $this->assertSame(200, $client->getResponse()->getStatusCode());`
	`36`	`+ $this->assertRedirect($client->getResponse(), '/login');`
`37`	`37`	`$this->assertNull($cookieJar->get('REMEMBERME'));`
`38`	`38`	`}`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,10 @@ public function getSecret()`
`99`	`99`	`*/`
`100`	`100`	`final public function autoLogin(Request $request)`
`101`	`101`	`{`
	`102`	`+ if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {`
	`103`	`+ return null;`
	`104`	`+ }`
	`105`	`+`
`102`	`106`	`if (null === $cookie = $request->cookies->get($this->options['name'])) {`
`103`	`107`	`return null;`
`104`	`108`	`}`