bug #35335 [Security] Fix RememberMe with null password (jderusse)
This PR was merged into the 5.0 branch.
Discussion
----------
[Security] Fix RememberMe with null password
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | yes
| Tickets | NA
| License | MIT
| Doc PR | NA
From `UserInterface` the method getPassword may return null, while generateCookieHash requires a string.
This PR changes the signature of the methods to allows null password
Commits
-------
a7d0d82768
Fix RememberMe with null password
This commit is contained in:
commit
940bba0860
@ -92,11 +92,11 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||||||
* Generates the cookie value.
|
* Generates the cookie value.
|
||||||
*
|
*
|
||||||
* @param int $expires The Unix timestamp when the cookie expires
|
* @param int $expires The Unix timestamp when the cookie expires
|
||||||
* @param string $password The encoded password
|
* @param string|null $password The encoded password
|
||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
protected function generateCookieValue(string $class, string $username, int $expires, string $password)
|
protected function generateCookieValue(string $class, string $username, int $expires, ?string $password)
|
||||||
{
|
{
|
||||||
// $username is encoded because it might contain COOKIE_DELIMITER,
|
// $username is encoded because it might contain COOKIE_DELIMITER,
|
||||||
// we assume other values don't
|
// we assume other values don't
|
||||||
@ -112,11 +112,11 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||||||
* Generates a hash for the cookie to ensure it is not being tampered with.
|
* Generates a hash for the cookie to ensure it is not being tampered with.
|
||||||
*
|
*
|
||||||
* @param int $expires The Unix timestamp when the cookie expires
|
* @param int $expires The Unix timestamp when the cookie expires
|
||||||
* @param string $password The encoded password
|
* @param string|null $password The encoded password
|
||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
protected function generateCookieHash(string $class, string $username, int $expires, string $password)
|
protected function generateCookieHash(string $class, string $username, int $expires, ?string $password)
|
||||||
{
|
{
|
||||||
return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
|
return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user