[SecurityBundle] Fail if security.http_utils cannot be configured

2018-01-11 10:05:15 +01:00 · 2018-01-11 10:05:15 +01:00 · c003b7a247
parent 319e1bdd43
commit c003b7a247
3 changed files with 16 additions and 2 deletions
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
@ -26,7 +26,7 @@ class AddSessionDomainConstraintPass implements CompilerPassInterface
     */
    public function process(ContainerBuilder $container)
    {
-        if (!$container->hasParameter('session.storage.options') || !$container->has('security.http_utils')) {
+        if (!$container->hasParameter('session.storage.options')) {
            return;
        }

@ -34,6 +34,7 @@ class AddSessionDomainConstraintPass implements CompilerPassInterface
        $domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
        $domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;

+        // if the service doesn't exist, an exception must be thrown - ignoring would put security at risk
        $container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));
    }
 }
--- a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
+++ b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@ -50,7 +50,7 @@ class SecurityBundle extends Bundle

        $extension->addUserProviderFactory(new InMemoryFactory());
        $container->addCompilerPass(new AddSecurityVotersPass());
-        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_AFTER_REMOVING);
+        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);
        $container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());
    }
 }
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
@ -96,6 +96,19 @@ class AddSessionDomainConstraintPassTest extends TestCase
        $this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://pirate.com/foo'));
    }

+    /**
+     * @expectedException \Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException
+     * @expectedExceptionMessage You have requested a non-existent service "security.http_utils".
+     */
+    public function testNoHttpUtils()
+    {
+        $container = new ContainerBuilder();
+        $container->setParameter('session.storage.options', array());
+
+        $pass = new AddSessionDomainConstraintPass();
+        $pass->process($container);
+    }
+
    private function createContainer($sessionStorageOptions)
    {
        $container = new ContainerBuilder();