Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] fix unserializing session payloads from v4 #44805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 28, 2021
Merged

[Security] fix unserializing session payloads from v4 #44805

merged 1 commit into from
Dec 28, 2021

Conversation

nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Dec 27, 2021
edited
Loading

Q A
Branch? 5.3
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #44676
License MIT
Doc PR -

Replaces #44801

I propose to reintroduce these classes to ease transitioning to v5, then removing them in v6.

@carsonbot carsonbot changed the title [Security] fix unserializing session payloads from v4 fix unserializing session payloads from v4 Dec 27, 2021
@carsonbot carsonbot changed the title fix unserializing session payloads from v4 [Security] fix unserializing session payloads from v4 Dec 27, 2021
@nicolas-grekas nicolas-grekas mentioned this pull request Dec 27, 2021
Closed
@ajgarlag
Copy link
Contributor

IMO these classes should exist only to allow unserialization, so in my package, every method throws a LogicException. WDYT?

@nicolas-grekas
Copy link
Member Author

I think there is no need for such detailed care. I made the constructor private and the class @internal, that's enough a warning to me.

@ajgarlag
Copy link
Contributor

ajgarlag commented Dec 27, 2021
edited
Loading

I think there is no need for such detailed care. I made the constructor private and the class @internal, that's enough a warning to me.

Ok, I see, then I would remove any public method. These classes only exist for BC and IMO should not have any behavior.

@derrabus
Copy link
Member

We should add a test that deserializes a token serialized with 4.4 and checks if that token is usable. For instance, I would expect to run into new problems if the tokens returned arrays of Role objects again.

@nicolas-grekas
Copy link
Member Author

I removed all methods but __toString().
@derrabus would you mind sending a PR to my fork with the test you have in mind? 🙏

wouterj
wouterj approved these changes Dec 28, 2021
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks OK to me.

I agree with @derrabus. We should at least add a test with a payload like:

// serialized string created on Symfony 4.4 using the following command:
//     php -r 'require_once __DIR__."/vendor/autoload.php"; echo serialize(new \\Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken("sf", null, "main", [new Symfony\\Component\\Security\\Core\\Role\\Role("ROLE_USER")]));'
$serialized = 'O:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":3:{i:0;N;i:1;s:4:"main";i:2;a:5:{i:0;s:2:"sf";i:1;b:1;i:2;a:1:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"Symfony\Component\Security\Core\Role\Rolerole";s:9:"ROLE_USER";}}i:3;a:0:{}i:4;a:1:{i:0;s:9:"ROLE_USER";}}}';

@nicolas-grekas
Copy link
Member Author

Thanks for the hint, test added.

@nicolas-grekas nicolas-grekas force-pushed the sec-role branch 2 times, most recently from 113e4d0 to b73ac9a Compare December 28, 2021 11:56
@derrabus
Copy link
Member

nicolas-grekas#40 🙂

@nicolas-grekas nicolas-grekas merged commit f075ce8 into symfony:5.3 Dec 28, 2021
@nicolas-grekas nicolas-grekas deleted the sec-role branch December 29, 2021 09:46
This was referenced Dec 29, 2021
Merged
Merged
Merged
@ajgarlag ajgarlag mentioned this pull request Dec 29, 2021
Closed
@alexandre-daubois alexandre-daubois mentioned this pull request Sep 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fancyweb fancyweb fancyweb left review comments

@wouterj wouterj wouterj approved these changes

@derrabus derrabus derrabus approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@nicolas-grekas @ajgarlag @derrabus @wouterj @fancyweb @chalasr @carsonbot