diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #35335 [Security] Fix RememberMe with null password (jderusse)

Browse Source 
This PR was merged into the 5.0 branch.

Discussion
----------

[Security] Fix RememberMe with null password

| Q             | A
| ------------- | ---
| Branch?       | 5.0
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | yes
| Tickets       | NA
| License       | MIT
| Doc PR        | NA

From `UserInterface` the method getPassword may return null, while generateCookieHash requires a string.
This PR changes the signature of the methods to allows null password

Commits
-------

a7d0d82768 Fix RememberMe with null password
This commit is contained in:
Nicolas Grekas 2020-01-20 13:23:27 +01:00
commit 940bba0860
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
View File

@ -91,12 +91,12 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
/** /**
* Generates the cookie value. * Generates the cookie value.
* *
* @param int $expires The Unix timestamp when the cookie expires * @param int $expires The Unix timestamp when the cookie expires
* @param string $password The encoded password * @param string|null $password The encoded password
* *
* @return string * @return string
*/ */
protected function generateCookieValue(string $class, string $username, int $expires, string $password) protected function generateCookieValue(string $class, string $username, int $expires, ?string $password)
{ {
// $username is encoded because it might contain COOKIE_DELIMITER, // $username is encoded because it might contain COOKIE_DELIMITER,
// we assume other values don't // we assume other values don't
@ -111,12 +111,12 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
/** /**
* Generates a hash for the cookie to ensure it is not being tampered with. * Generates a hash for the cookie to ensure it is not being tampered with.
* *
* @param int $expires The Unix timestamp when the cookie expires * @param int $expires The Unix timestamp when the cookie expires
* @param string $password The encoded password * @param string|null $password The encoded password
* *
* @return string * @return string
*/ */
protected function generateCookieHash(string $class, string $username, int $expires, string $password) protected function generateCookieHash(string $class, string $username, int $expires, ?string $password)
{ {
return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
} }