bug #24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (kbond)
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #24525
| License | MIT
| Doc PR | -
I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled).
This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add.
Commits
-------
fe190b6ee9
reject remember-me token if user check fails
This commit is contained in:
commit
4ebd60f7f9
|
@ -49,6 +49,7 @@ class RememberMeAuthenticationProvider implements AuthenticationProviderInterfac
|
|||
|
||||
$user = $token->getUser();
|
||||
$this->userChecker->checkPreAuth($user);
|
||||
$this->userChecker->checkPostAuth($user);
|
||||
|
||||
$authenticatedToken = new RememberMeToken($user, $this->providerKey, $this->key);
|
||||
$authenticatedToken->setAttributes($token->getAttributes());
|
||||
|
|
Reference in New Issue