security #cve-2018-11385 migrating session for UsernamePasswordJsonAuthenticationListener

* cve-2018-11385-3.4: migrating session for UsernamePasswordJsonAuthenticationListener
2018-05-23 15:56:36 +02:00 · 2018-05-23 15:56:36 +02:00 · b5fef05c1b
commit b5fef05c1b
parent d9b0f47d3d 625fece149
1 changed files with 13 additions and 0 deletions
--- a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
@ -139,6 +139,8 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
            $this->logger->info('User has been authenticated successfully.', array('username' => $token->getUsername()));
        }

+        $this->migrateSession($request);
+
        $this->tokenStorage->setToken($token);

        if (null !== $this->eventDispatcher) {
@ -182,4 +184,15 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface

        return $response;
    }
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }