Thanks to visit codestin.com
Credit goes to github.com

Skip to content

"The CSRF token is invalid." in tests after upgrading to 6.2.6 to fix CVE #49194

New issue
New issue
Closed
Closed
"The CSRF token is invalid." in tests after upgrading to 6.2.6 to fix CVE#49194
Labels
BugSecurityStatus: Needs Review
@J-roen

Description

@J-roen
J-roen
opened on Feb 2, 2023

Symfony version(s) affected

6.2.6

Description

After installing the fix for https://symfony.com/blog/cve-2022-24895-csrf-token-fixation, tests fail with the message "The CSRF token is invalid." I have only been able to reproduce this in tests, not (yet) when running the application in the browser.

@nicolas-grekas

How to reproduce

  1. Install the Symfony demo project: https://github.com/symfony/demo
  2. Run ./bin/phpunit. All tests should succeed.
  3. Run composer update.
  4. Run ./bin/phpunit. Multiple tests should fail. Add | grep CSRF and you will find the error message.

Possible Solution

I have no clue yet. My conclusion is that $this->csrfTokenStorage->clear(); is the cause of this bug (see 5909d74#diff-0ff1412624a79146c346925f2407eb4783b144da38ddb369ca30e49d046fab70R59), but removing this is obviously not an option as it is the fix for the CVE.

Additional Context

Docker one-liner:

docker run -it --rm composer bash -c " \
  composer create-project symfony/symfony-demo my_project; \
  cd my_project/; \
  ./bin/phpunit; \
  composer update; \
  ./bin/phpunit | head -n 6; \
  ./bin/phpunit | grep CSRF \
"

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions