bug #40547 [RateLimiter] Security hardening - Rate limiter (jderusse)

This PR was merged into the 5.2 branch. Discussion ---------- [RateLimiter] Security hardening - Rate limiter | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | yes | Tickets | - | License | MIT | Doc PR | - Commits ------- e61553af4b Security hardening - Rate limiter
2021-03-23 08:09:52 +01:00 · 2021-03-23 08:09:52 +01:00 · 0f4870b23f
commit 0f4870b23f
parent 7611d24e06 e61553af4b
2 changed files with 2 additions and 2 deletions
--- a/src/Symfony/Component/RateLimiter/RateLimiterFactory.php
+++ b/src/Symfony/Component/RateLimiter/RateLimiterFactory.php
@ -46,7 +46,7 @@ final class RateLimiterFactory

    public function create(?string $key = null): LimiterInterface
    {
-        $id = $this->config['id'].$key;
+        $id = $this->config['id'].'-'.$key;
        $lock = $this->lockFactory ? $this->lockFactory->createLock($id) : new NoLock();

        switch ($this->config['policy']) {
--- a/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
+++ b/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
@ -41,7 +41,7 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
    {
        return [
            $this->globalFactory->create($request->getClientIp()),
-            $this->localFactory->create($request->attributes->get(Security::LAST_USERNAME).$request->getClientIp()),
+            $this->localFactory->create($request->attributes->get(Security::LAST_USERNAME).'-'.$request->getClientIp()),
        ];
    }
 }