Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Prevent creating session in stateless firewalls #51350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 25, 2023
Merged

[Security] Prevent creating session in stateless firewalls #51350

merged 1 commit into from
Aug 25, 2023

Conversation

Seb33300
Copy link
Contributor

@Seb33300 Seb33300 commented Aug 11, 2023
edited
Loading

Q A
Branch? 6.3
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #51319
License MIT
Doc PR

Please check related issue for details.

Same as #51320 with @chalasr suggestion: #51320 (comment)

@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "6.4" but it seems your PR description refers to branch "6.3".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@carsonbot carsonbot added this to the 6.4 milestone Aug 11, 2023
@Seb33300 Seb33300 mentioned this pull request Aug 11, 2023
Closed
@Seb33300 Seb33300 changed the base branch from 6.4 to 6.3 August 11, 2023 03:47
This was referenced Aug 11, 2023
Closed
Merged
chalasr
chalasr requested changes Aug 16, 2023
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add test cases with _stateless => true for both success and failure handlers to prevent regressions

@Seb33300
Copy link
Contributor Author

Please add test cases with _stateless => true for both success and failure handlers to prevent regressions

@chalasr tests added

@Seb33300 Seb33300 requested a review from chalasr August 17, 2023 03:47
@stloyd stloyd mentioned this pull request Aug 20, 2023
Merged
@stloyd
Copy link
Contributor

stloyd commented Aug 21, 2023

@wouterj @chalasr Could you have a second look at this?

I can confirm the fix on HWIOAuthBundle. Before:

PHPUnit 9.6.11 by Sebastian Bergmann and contributors.

Testing /Users/stloyd/Documents/HWIOAuthBundle/tests/Functional

<!-- Session was used while the request was declared stateless. (500 Internal Server Error) -->
// error page printed

After:

PHPUnit 9.6.11 by Sebastian Bergmann and contributors.

Testing /Users/stloyd/Documents/HWIOAuthBundle/tests/Functional

Time: 00:00.090, Memory: 18.00 MB

OK (1 test, 4 assertions)

@stloyd stloyd mentioned this pull request Aug 23, 2023
Closed
@stloyd
Copy link
Contributor

stloyd commented Aug 25, 2023

@fabpot / @nicolas-grekas or anyone else can check this fix? I would love to have it in near 6.3 release

@Seb33300
Copy link
Contributor Author

August is usually a period of holidays in europe so @chalasr and @wouterj may not be available this week.
Let's see next week :)

@chalasr
Copy link
Member

chalasr commented Aug 25, 2023

Thank you @Seb33300.

@chalasr chalasr merged commit a3b0d89 into symfony:6.3 Aug 25, 2023
@Seb33300 Seb33300 deleted the 6.3-stateless branch August 26, 2023 03:20
@fabpot fabpot mentioned this pull request Aug 26, 2023
Merged
@Seb33300 Seb33300 mentioned this pull request Apr 26, 2024
Closed
@VincentLanglet VincentLanglet mentioned this pull request Jun 23, 2024
Open
@VincentLanglet VincentLanglet mentioned this pull request Jul 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stloyd stloyd stloyd approved these changes

@stof stof stof approved these changes

@mtarld mtarld mtarld approved these changes

@chalasr chalasr chalasr approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.

Session created by default handlers on stateless firewalls
6 participants
@Seb33300 @carsonbot @stloyd @chalasr @stof @mtarld