From 607dcdb60ef74d63fbeb86549c52075f040ae4cc Mon Sep 17 00:00:00 2001 From: flies Date: Mon, 22 Mar 2021 09:32:13 +0100 Subject: [PATCH] [Security] Handle properly 'auto' option for remember me cookie security --- .../Security/Factory/RememberMeFactory.php | 7 +++- Tests/Functional/RememberMeCookieTest.php | 33 +++++++++++++++++++ .../app/RememberMeCookie/bundles.php | 9 +++++ .../app/RememberMeCookie/config.yml | 25 ++++++++++++++ .../app/RememberMeCookie/routing.yml | 2 ++ 5 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 Tests/Functional/RememberMeCookieTest.php create mode 100644 Tests/Functional/app/RememberMeCookie/bundles.php create mode 100644 Tests/Functional/app/RememberMeCookie/config.yml create mode 100644 Tests/Functional/app/RememberMeCookie/routing.yml diff --git a/DependencyInjection/Security/Factory/RememberMeFactory.php b/DependencyInjection/Security/Factory/RememberMeFactory.php index 70fcd16b..15302816 100644 --- a/DependencyInjection/Security/Factory/RememberMeFactory.php +++ b/DependencyInjection/Security/Factory/RememberMeFactory.php @@ -69,7 +69,12 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider, } // remember-me options - $rememberMeServices->replaceArgument(3, array_intersect_key($config, $this->options)); + $mergedOptions = array_intersect_key($config, $this->options); + if ('auto' === $mergedOptions['secure']) { + $mergedOptions['secure'] = null; + } + + $rememberMeServices->replaceArgument(3, $mergedOptions); // attach to remember-me aware listeners $userProviders = []; diff --git a/Tests/Functional/RememberMeCookieTest.php b/Tests/Functional/RememberMeCookieTest.php new file mode 100644 index 00000000..6bfa1ed4 --- /dev/null +++ b/Tests/Functional/RememberMeCookieTest.php @@ -0,0 +1,33 @@ +createClient(['test_case' => 'RememberMeCookie', 'root_config' => 'config.yml']); + + $client->request('POST', '/login', [ + '_username' => 'test', + '_password' => 'test', + ], [], [ + 'HTTPS' => (int) $https, + ]); + + $cookies = $client->getResponse()->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY); + + $this->assertEquals($expectedSecureFlag, $cookies['']['/']['REMEMBERME']->isSecure()); + } + + public function getSessionRememberMeSecureCookieFlagAutoHttpsMap() + { + return [ + [true, true], + [false, false], + ]; + } +} diff --git a/Tests/Functional/app/RememberMeCookie/bundles.php b/Tests/Functional/app/RememberMeCookie/bundles.php new file mode 100644 index 00000000..8d4a0249 --- /dev/null +++ b/Tests/Functional/app/RememberMeCookie/bundles.php @@ -0,0 +1,9 @@ +