bug #14046 [Security] StringUtils::equals() arguments in RememberMe Cookie based implementation are confused (zerkms)

This PR was submitted for the 2.7 branch but it was merged into the 2.6 branch instead (closes #14046). Discussion ---------- [Security] StringUtils::equals() arguments in RememberMe Cookie based implementation are confused It must be the other way around | Q | A | ------------- | --- | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Reference: https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Core/Util/StringUtils.php#L34 Commits ------- ea8da6e StringUtils::equals() arguments in RememberMe Cookie based implementation are confused
2015-03-25 09:38:47 +01:00 · 2015-03-25 09:38:47 +01:00 · 7e2a8b7663
commit 7e2a8b7663
parent 2559628654 ea8da6e091
1 changed files with 1 additions and 1 deletions
--- a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
+++ b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
@ -54,7 +54,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
            throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
        }

-        if (true !== StringUtils::equals($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) {
+        if (true !== StringUtils::equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) {
            throw new AuthenticationException('The cookie\'s hash is invalid.');
        }