Skip to content

Commit

Permalink
Merge branch '4.4' into 5.2
Browse files Browse the repository at this point in the history 
* 4.4:
  [Console] minor fix
  [Validator] Avoid triggering the autoloader for user-input values
  Hardening Security - Unserialize DumpDataCollector
  [HttpClient] remove using $http_response_header
  [Security] Handle properly 'auto' option for remember me cookie security
  • Loading branch information
@nicolas-grekas
nicolas-grekas committed Mar 23, 2021
2 parents e6fb8ac + 607dcdb commit 2655078
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 2 deletions.
9 changes: 7 additions & 2 deletions DependencyInjection/Security/Factory/RememberMeFactory.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
$container
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.remember_me'))
->replaceArgument(0, new Reference($rememberMeServicesId))
->replaceArgument(3, array_intersect_key($config, $this->options))
->replaceArgument(3, $container->getDefinition($rememberMeServicesId)->getArgument(3))
;

foreach ($container->findTaggedServiceIds('security.remember_me_aware') as $serviceId => $attributes) {
Expand Down Expand Up @@ -201,7 +201,12 @@ private function createRememberMeServices(ContainerBuilder $container, string $i
}

// remember-me options
$rememberMeServices->replaceArgument(3, array_intersect_key($config, $this->options));
$mergedOptions = array_intersect_key($config, $this->options);
if ('auto' === $mergedOptions['secure']) {
$mergedOptions['secure'] = null;
}

$rememberMeServices->replaceArgument(3, $mergedOptions);

if ($config['user_providers']) {
$userProviders = [];
Expand Down
33 changes: 33 additions & 0 deletions Tests/Functional/RememberMeCookieTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<?php

namespace Symfony\Bundle\SecurityBundle\Tests\Functional;

use Symfony\Component\HttpFoundation\ResponseHeaderBag;

class RememberMeCookieTest extends AbstractWebTestCase
{
/** @dataProvider getSessionRememberMeSecureCookieFlagAutoHttpsMap */
public function testSessionRememberMeSecureCookieFlagAuto($https, $expectedSecureFlag)
{
$client = $this->createClient(['test_case' => 'RememberMeCookie', 'root_config' => 'config.yml']);

$client->request('POST', '/login', [
'_username' => 'test',
'_password' => 'test',
], [], [
'HTTPS' => (int) $https,
]);

$cookies = $client->getResponse()->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY);

$this->assertEquals($expectedSecureFlag, $cookies['']['/']['REMEMBERME']->isSecure());
}

public function getSessionRememberMeSecureCookieFlagAutoHttpsMap()
{
return [
[true, true],
[false, false],
];
}
}
9 changes: 9 additions & 0 deletions Tests/Functional/app/RememberMeCookie/bundles.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<?php

use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
use Symfony\Bundle\SecurityBundle\SecurityBundle;

return [
new FrameworkBundle(),
new SecurityBundle(),
];
25 changes: 25 additions & 0 deletions Tests/Functional/app/RememberMeCookie/config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
imports:
- { resource: ./../config/framework.yml }

security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext

providers:
in_memory:
memory:
users:
test: { password: test, roles: [ROLE_USER] }

firewalls:
default:
form_login:
check_path: login
remember_me: true
require_previous_session: false
remember_me:
always_remember_me: true
secret: key
secure: auto
logout: ~
anonymous: ~
2 changes: 2 additions & 0 deletions Tests/Functional/app/RememberMeCookie/routing.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
login:
path: /login

0 comments on commit 2655078

Please sign in to comment.