From 576f8029177e7454d8e4c851c2ece123b24ad706 Mon Sep 17 00:00:00 2001 From: ogizanagi Date: Thu, 19 Nov 2015 23:03:24 +0100 Subject: [PATCH 01/11] [Process] PhpExecutableFinder: add regression test --- .../Process/Tests/PhpExecutableFinderTest.php | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/Process/Tests/PhpExecutableFinderTest.php b/src/Symfony/Component/Process/Tests/PhpExecutableFinderTest.php index 28bafe38ea..87d0efe9eb 100644 --- a/src/Symfony/Component/Process/Tests/PhpExecutableFinderTest.php +++ b/src/Symfony/Component/Process/Tests/PhpExecutableFinderTest.php @@ -43,7 +43,27 @@ class PhpExecutableFinderTest extends \PHPUnit_Framework_TestCase } /** - * tests find() with the env var PHP_PATH. + * tests find() with the constant PHP_BINARY. + * + * @requires PHP 5.4 + */ + public function testFind() + { + if (defined('HHVM_VERSION')) { + $this->markTestSkipped('Should not be executed in HHVM context.'); + } + + $f = new PhpExecutableFinder(); + + $current = PHP_BINARY; + $args = 'phpdbg' === PHP_SAPI ? ' -qrr' : ''; + + $this->assertEquals($current.$args, $f->find(), '::find() returns the executable PHP'); + $this->assertEquals($current, $f->find(false), '::find() returns the executable PHP'); + } + + /** + * tests find() with the env var / constant PHP_BINARY with HHVM. */ public function testFindWithHHVM() { From baad4da9b72d2d0af14a3be433a453f22d106870 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Fri, 20 Nov 2015 13:11:01 +0100 Subject: [PATCH 02/11] [HttpKernel] Don't reset on shutdown but in FrameworkBundle/Test/KernelTestCase --- src/Symfony/Bundle/FrameworkBundle/Test/KernelTestCase.php | 5 +++++ src/Symfony/Component/HttpKernel/Kernel.php | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Symfony/Bundle/FrameworkBundle/Test/KernelTestCase.php b/src/Symfony/Bundle/FrameworkBundle/Test/KernelTestCase.php index 04f934c4fe..aa8b66929c 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Test/KernelTestCase.php +++ b/src/Symfony/Bundle/FrameworkBundle/Test/KernelTestCase.php @@ -11,6 +11,7 @@ namespace Symfony\Bundle\FrameworkBundle\Test; +use Symfony\Component\DependencyInjection\ResettableContainerInterface; use Symfony\Component\Finder\Finder; use Symfony\Component\HttpKernel\KernelInterface; @@ -171,7 +172,11 @@ abstract class KernelTestCase extends \PHPUnit_Framework_TestCase protected static function ensureKernelShutdown() { if (null !== static::$kernel) { + $container = static::$kernel->getContainer(); static::$kernel->shutdown(); + if ($container instanceof ResettableContainerInterface) { + $container->reset(); + } } } diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 7c55172d39..2b573fe860 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -23,7 +23,6 @@ use Symfony\Component\DependencyInjection\Loader\IniFileLoader; use Symfony\Component\DependencyInjection\Loader\PhpFileLoader; use Symfony\Component\DependencyInjection\Loader\DirectoryLoader; use Symfony\Component\DependencyInjection\Loader\ClosureLoader; -use Symfony\Component\DependencyInjection\ResettableContainerInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Bundle\BundleInterface; @@ -171,10 +170,6 @@ abstract class Kernel implements KernelInterface, TerminableInterface $bundle->setContainer(null); } - if ($this->container instanceof ResettableContainerInterface) { - $this->container->reset(); - } - $this->container = null; } From 8feb9ef080b6c04bd40cdec4d0af030002be4cc0 Mon Sep 17 00:00:00 2001 From: Ryan Weaver Date: Thu, 5 Nov 2015 15:58:36 -0500 Subject: [PATCH 03/11] [Routing] Changing RouteCollectionBuilder::import() behavior to add to the builder --- .../Component/Routing/RouteCollectionBuilder.php | 12 ++++++++---- .../Routing/Tests/RouteCollectionBuilderTest.php | 7 +++++-- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/Symfony/Component/Routing/RouteCollectionBuilder.php b/src/Symfony/Component/Routing/RouteCollectionBuilder.php index 700ee37234..a54a049d27 100644 --- a/src/Symfony/Component/Routing/RouteCollectionBuilder.php +++ b/src/Symfony/Component/Routing/RouteCollectionBuilder.php @@ -49,16 +49,17 @@ class RouteCollectionBuilder /** * Import an external routing resource and returns the RouteCollectionBuilder. * - * $routes->mount('/blog', $routes->import('blog.yml')); + * $routes->import('blog.yml', '/blog'); * - * @param mixed $resource - * @param string $type + * @param mixed $resource + * @param string|null $prefix + * @param string $type * * @return RouteCollectionBuilder * * @throws FileLoaderLoadException */ - public function import($resource, $type = null) + public function import($resource, $prefix = '/', $type = null) { /** @var RouteCollection $collection */ $collection = $this->load($resource, $type); @@ -73,6 +74,9 @@ class RouteCollectionBuilder $builder->addResource($resource); } + // mount into this builder + $this->mount($prefix, $builder); + return $builder; } diff --git a/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php b/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php index c19fdcbf9f..e3a98e3b72 100644 --- a/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php +++ b/src/Symfony/Component/Routing/Tests/RouteCollectionBuilderTest.php @@ -45,7 +45,7 @@ class RouteCollectionBuilderTest extends \PHPUnit_Framework_TestCase // import the file! $routes = new RouteCollectionBuilder($loader); - $importedRoutes = $routes->import('admin_routing.yml', 'yaml'); + $importedRoutes = $routes->import('admin_routing.yml', '/', 'yaml'); // we should get back a RouteCollectionBuilder $this->assertInstanceOf('Symfony\Component\Routing\RouteCollectionBuilder', $importedRoutes); @@ -56,6 +56,9 @@ class RouteCollectionBuilderTest extends \PHPUnit_Framework_TestCase $this->assertSame($originalRoute, $route); // should return file_resource.yml, which is in the original collection $this->assertCount(1, $addedCollection->getResources()); + + // make sure the routes were imported into the top-level builder + $this->assertCount(1, $routes->build()); } /** @@ -285,7 +288,7 @@ class RouteCollectionBuilderTest extends \PHPUnit_Framework_TestCase ->method('load') ->will($this->returnValue($importedCollection)); // import this from the /admin route builder - $adminRoutes->mount('/imported', $adminRoutes->import('admin.yml')); + $adminRoutes->import('admin.yml', '/imported'); $collection = $routes->build(); $this->assertEquals('/admin/dashboard', $collection->get('admin_dashboard')->getPath(), 'Routes before mounting have the prefix'); From ca9f446f035ed62976185187306cf1ca7ffa0573 Mon Sep 17 00:00:00 2001 From: Jelle Kapitein Date: Mon, 23 Nov 2015 09:33:29 +0100 Subject: [PATCH 04/11] =?UTF-8?q?[WebProfilerBundle]=20Added=20a=20top=20l?= =?UTF-8?q?eft=20border=20radius=20to=20the=20minified=20to=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Resources/views/Profiler/toolbar.css.twig | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/toolbar.css.twig b/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/toolbar.css.twig index 0a269ea3f7..c0456f6131 100644 --- a/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/toolbar.css.twig +++ b/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/toolbar.css.twig @@ -1,5 +1,6 @@ .sf-minitoolbar { background-color: #222; + border-top-left-radius: 4px; bottom: 0; display: none; height: 30px; @@ -8,6 +9,7 @@ right: 0; z-index: 99999; } + .sf-minitoolbar a { display: block; } @@ -357,6 +359,8 @@ /* Override the setting when the toolbar is on the top */ {% if position == 'top' %} .sf-minitoolbar { + border-bottom-left-radius: 4px; + border-top-left-radius: 0; bottom: auto; right: 0; top: 0; From f1fd7686c5fdc191a599d1e77d9748365f8a19cf Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Tue, 10 Nov 2015 16:18:07 +0100 Subject: [PATCH 05/11] fix potential timing attack issue --- ...PersistentTokenBasedRememberMeServices.php | 3 +- .../TokenBasedRememberMeServices.php | 28 ++----------------- 2 files changed, 4 insertions(+), 27 deletions(-) diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php index f800668a5e..0fffbfe4f9 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php +++ b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php @@ -21,6 +21,7 @@ use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Util\SecureRandomInterface; use Psr\Log\LoggerInterface; +use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface which needs @@ -90,7 +91,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices list($series, $tokenValue) = $cookieParts; $persistentToken = $this->tokenProvider->loadTokenBySeries($series); - if ($persistentToken->getTokenValue() !== $tokenValue) { + if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) { throw new CookieTheftException('This token was already used. The account is possibly compromised.'); } diff --git a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php index de662fb3d8..1aea5fd76d 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php +++ b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php @@ -17,6 +17,7 @@ use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\User\UserInterface; +use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface providing @@ -53,7 +54,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user))); } - if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) { + if (!StringUtils::equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) { throw new AuthenticationException('The cookie\'s hash is invalid.'); } @@ -64,31 +65,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices return $user; } - /** - * Compares two hashes using a constant-time algorithm to avoid (remote) - * timing attacks. - * - * This is the same implementation as used in the BasePasswordEncoder. - * - * @param string $hash1 The first hash - * @param string $hash2 The second hash - * - * @return bool true if the two hashes are the same, false otherwise - */ - private function compareHashes($hash1, $hash2) - { - if (strlen($hash1) !== $c = strlen($hash2)) { - return false; - } - - $result = 0; - for ($i = 0; $i < $c; ++$i) { - $result |= ord($hash1[$i]) ^ ord($hash2[$i]); - } - - return 0 === $result; - } - /** * {@inheritdoc} */ From 557ea17eeb21817f3c18147b56c86172794a75df Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Tue, 10 Nov 2015 16:41:37 +0100 Subject: [PATCH 06/11] mitigate CSRF timing attack vulnerability --- .../Csrf/CsrfProvider/DefaultCsrfProvider.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php index 31ea45f3d5..ab62df9a04 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php +++ b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php @@ -11,6 +11,8 @@ namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; +use Symfony\Component\Security\Core\Util\StringUtils; + /** * Default implementation of CsrfProviderInterface. * @@ -54,6 +56,16 @@ class DefaultCsrfProvider implements CsrfProviderInterface */ public function isCsrfTokenValid($intention, $token) { + $expectedToken = $this->generateCsrfToken($intention); + + if (function_exists('hash_equals')) { + return hash_equals($expectedToken, $token); + } + + if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) { + return StringUtils::equals($expectedToken, $token); + } + return $token === $this->generateCsrfToken($intention); } From 819aa54fe489a403c0a3fe00fd0840ed53a15609 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Tue, 10 Nov 2015 16:51:36 +0100 Subject: [PATCH 07/11] prevent timing attacks in digest auth listener --- .../Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php | 2 +- .../Security/Http/Firewall/DigestAuthenticationListener.php | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php index ab62df9a04..f323de0fd2 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php +++ b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php @@ -66,7 +66,7 @@ class DefaultCsrfProvider implements CsrfProviderInterface return StringUtils::equals($expectedToken, $token); } - return $token === $this->generateCsrfToken($intention); + return $token === $expectedToken; } /** diff --git a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php index a88250bff3..5e1159f733 100644 --- a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php @@ -13,6 +13,7 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; +use Symfony\Component\Security\Core\Util\StringUtils; use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint; use Psr\Log\LoggerInterface; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -99,7 +100,7 @@ class DigestAuthenticationListener implements ListenerInterface return; } - if ($serverDigestMd5 !== $digestAuth->getResponse()) { + if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) { if (null !== $this->logger) { $this->logger->debug(sprintf('Expected response: "%s" but received: "%s"; is AuthenticationDao returning clear text passwords?', $serverDigestMd5, $digestAuth->getResponse())); } From f88e600833b6822db5873e25deaefd14948e4878 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Thu, 5 Nov 2015 23:29:27 +0100 Subject: [PATCH 08/11] migrate session after remember me authentication --- .../Http/Firewall/RememberMeListener.php | 8 +++ .../Http/Firewall/RememberMeListenerTest.php | 63 +++++++++++++++++++ 2 files changed, 71 insertions(+) diff --git a/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php b/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php index 942e53787a..52a231c70e 100644 --- a/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php @@ -20,6 +20,7 @@ use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface; use Symfony\Component\Security\Http\Event\InteractiveLoginEvent; use Symfony\Component\Security\Http\SecurityEvents; use Symfony\Component\EventDispatcher\EventDispatcherInterface; +use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy; /** * RememberMeListener implements authentication capabilities via a cookie. @@ -33,6 +34,7 @@ class RememberMeListener implements ListenerInterface private $authenticationManager; private $logger; private $dispatcher; + private $sessionStrategy; /** * Constructor. @@ -50,6 +52,7 @@ class RememberMeListener implements ListenerInterface $this->authenticationManager = $authenticationManager; $this->logger = $logger; $this->dispatcher = $dispatcher; + $this->sessionStrategy = new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE); } /** @@ -70,6 +73,11 @@ class RememberMeListener implements ListenerInterface try { $token = $this->authenticationManager->authenticate($token); + + if ($request->hasSession() && $request->getSession()->isStarted()) { + $this->sessionStrategy->onAuthentication($request, $token); + } + $this->securityContext->setToken($token); if (null !== $this->dispatcher) { diff --git a/src/Symfony/Component/Security/Tests/Http/Firewall/RememberMeListenerTest.php b/src/Symfony/Component/Security/Tests/Http/Firewall/RememberMeListenerTest.php index 067cacb6cb..ad96243d47 100644 --- a/src/Symfony/Component/Security/Tests/Http/Firewall/RememberMeListenerTest.php +++ b/src/Symfony/Component/Security/Tests/Http/Firewall/RememberMeListenerTest.php @@ -138,6 +138,69 @@ class RememberMeListenerTest extends \PHPUnit_Framework_TestCase $listener->handle($event); } + public function testSessionStrategy() + { + list($listener, $tokenStorage, $service, $manager) = $this->getListener(false, true, true); + + $tokenStorage + ->expects($this->once()) + ->method('getToken') + ->will($this->returnValue(null)) + ; + + $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'); + $service + ->expects($this->once()) + ->method('autoLogin') + ->will($this->returnValue($token)) + ; + + $tokenStorage + ->expects($this->once()) + ->method('setToken') + ->with($this->equalTo($token)) + ; + + $manager + ->expects($this->once()) + ->method('authenticate') + ->will($this->returnValue($token)) + ; + + $session = $this->getMock('\Symfony\Component\HttpFoundation\Session\SessionInterface'); + $session + ->expects($this->once()) + ->method('isStarted') + ->will($this->returnValue(true)) + ; + $session + ->expects($this->once()) + ->method('migrate') + ; + + $request = $this->getMock('\Symfony\Component\HttpFoundation\Request'); + $request + ->expects($this->any()) + ->method('hasSession') + ->will($this->returnValue(true)) + ; + + $request + ->expects($this->any()) + ->method('getSession') + ->will($this->returnValue($session)) + ; + + $event = $this->getGetResponseEvent(); + $event + ->expects($this->once()) + ->method('getRequest') + ->will($this->returnValue($request)) + ; + + $listener->handle($event); + } + protected function getGetResponseEvent() { return $this->getMock('Symfony\Component\HttpKernel\Event\GetResponseEvent', array(), array(), '', false); From d12cf1904c92ef2525b55da79ae09c800e875171 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 23 Nov 2015 11:17:36 +0100 Subject: [PATCH 09/11] fixed tests --- .../DependencyInjection/Tests/ContainerBuilderTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php b/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php index 86d9103d99..d470ed386f 100644 --- a/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php +++ b/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php @@ -324,7 +324,7 @@ class ContainerBuilderTest extends \PHPUnit_Framework_TestCase { $builder = new ContainerBuilder(); $builder->register('bar', 'stdClass'); - $builder->register('foo1', 'FooClass')->addMethodCall('setBar', array(array('%%unescape_it%%'))); + $builder->register('foo1', 'Bar\FooClass')->addMethodCall('setBar', array(array('%%unescape_it%%'))); $builder->setParameter('value', 'bar'); $this->assertEquals(array('%unescape_it%'), $builder->get('foo1')->bar, '->createService() replaces the values in the method calls arguments'); } @@ -333,7 +333,7 @@ class ContainerBuilderTest extends \PHPUnit_Framework_TestCase { $builder = new ContainerBuilder(); $builder->register('bar', 'stdClass'); - $builder->register('foo1', 'FooClass')->setProperty('bar', array('%value%', new Reference('bar'), '%%unescape_it%%')); + $builder->register('foo1', 'Bar\FooClass')->setProperty('bar', array('%value%', new Reference('bar'), '%%unescape_it%%')); $builder->setParameter('value', 'bar'); $this->assertEquals(array('bar', $builder->get('bar'), '%unescape_it%'), $builder->get('foo1')->bar, '->createService() replaces the values in the properties'); } From 3aee6b93e2072dd1c22a922eb30ad30dd8ade737 Mon Sep 17 00:00:00 2001 From: toretto460 Date: Mon, 23 Nov 2015 10:52:19 +0100 Subject: [PATCH 10/11] Fix: Resolve tempdir symlink, not working on OSX --- src/Symfony/Component/Filesystem/Tests/FilesystemTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/Filesystem/Tests/FilesystemTest.php b/src/Symfony/Component/Filesystem/Tests/FilesystemTest.php index ea38e17df5..d8d3cf33e9 100644 --- a/src/Symfony/Component/Filesystem/Tests/FilesystemTest.php +++ b/src/Symfony/Component/Filesystem/Tests/FilesystemTest.php @@ -1042,8 +1042,8 @@ class FilesystemTest extends FilesystemTestCase $dirname = $scheme.$this->workspace.DIRECTORY_SEPARATOR.'does_not_exist'; $filename = $this->filesystem->tempnam($dirname, 'bar'); - - $this->assertStringStartsWith(rtrim($scheme.sys_get_temp_dir(), DIRECTORY_SEPARATOR), $filename); + $realTempDir = realpath(sys_get_temp_dir()); + $this->assertStringStartsWith(rtrim($scheme.$realTempDir, DIRECTORY_SEPARATOR), $filename); $this->assertFileExists($filename); // Tear down From 2dbb75aef49c39ac680a31f44514f94c29de681d Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 23 Nov 2015 11:39:33 +0100 Subject: [PATCH 11/11] removed usage of the deprecated StringUtils::equals() method --- .../Csrf/CsrfProvider/DefaultCsrfProvider.php | 12 +----------- .../Http/Firewall/DigestAuthenticationListener.php | 3 +-- .../PersistentTokenBasedRememberMeServices.php | 3 +-- 3 files changed, 3 insertions(+), 15 deletions(-) diff --git a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php index 7e25a122c6..def181d217 100644 --- a/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php +++ b/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php @@ -11,8 +11,6 @@ namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; -use Symfony\Component\Security\Core\Util\StringUtils; - @trigger_error('The '.__NAMESPACE__.'\DefaultCsrfProvider is deprecated since version 2.4 and will be removed in version 3.0. Use the \Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage class instead.', E_USER_DEPRECATED); /** @@ -65,15 +63,7 @@ class DefaultCsrfProvider implements CsrfProviderInterface { $expectedToken = $this->generateCsrfToken($intention); - if (function_exists('hash_equals')) { - return hash_equals($expectedToken, $token); - } - - if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) { - return StringUtils::equals($expectedToken, $token); - } - - return $token === $expectedToken; + return hash_equals($expectedToken, $token); } /** diff --git a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php index f2048fdbe4..41e5d6d759 100644 --- a/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php @@ -12,7 +12,6 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Core\User\UserProviderInterface; -use Symfony\Component\Security\Core\Util\StringUtils; use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint; use Psr\Log\LoggerInterface; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -100,7 +99,7 @@ class DigestAuthenticationListener implements ListenerInterface return; } - if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) { + if (!hash_equals($serverDigestMd5, $digestAuth->getResponse())) { if (null !== $this->logger) { $this->logger->debug('Unexpected response from the DigestAuth received; is the header returning a clear text passwords?', array('expected' => $serverDigestMd5, 'received' => $digestAuth->getResponse())); } diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php index cf92a8c2f3..807a4a72a6 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php +++ b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php @@ -21,7 +21,6 @@ use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Util\SecureRandomInterface; use Psr\Log\LoggerInterface; -use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface which needs @@ -94,7 +93,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices list($series, $tokenValue) = $cookieParts; $persistentToken = $this->tokenProvider->loadTokenBySeries($series); - if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) { + if (!hash_equals($persistentToken->getTokenValue(), $tokenValue)) { throw new CookieTheftException('This token was already used. The account is possibly compromised.'); }