diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '4.1'

Browse Source 
* 4.1:
  migrating session for UsernamePasswordJsonAuthenticationListener
  migrating session for UsernamePasswordJsonAuthenticationListener
  Adding session authentication strategy to Guard to avoid session fixation
  Adding session strategy to ALL listeners to avoid *any* possible fixation
  [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode
This commit is contained in:
Fabien Potencier 2018-05-23 17:10:58 +02:00
commit dbac70964e
8 changed files with 88 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
View File

@ -616,6 +616,7 @@ class PdoSessionHandler extends AbstractSessionHandler
$selectSql = $this->getSelectSql();
$selectStmt = $this->pdo->prepare($selectSql);
$selectStmt->bindParam(':id', $sessionId, \PDO::PARAM_STR);
$insertStmt = null;
do {
$selectStmt->execute();
@ -631,6 +632,11 @@ class PdoSessionHandler extends AbstractSessionHandler
return is_resource($sessionRows[0][0]) ? stream_get_contents($sessionRows[0][0]) : $sessionRows[0][0];
}
if (null !== $insertStmt) {
$this->rollback();
throw new \RuntimeException('Failed to read session: INSERT reported a duplicate id but next SELECT did not return any data.');
}
if (!ini_get('session.use_strict_mode') && self::LOCK_TRANSACTIONAL === $this->lockMode && 'sqlite' !== $this->driver) {
// In strict mode, session fixation is not possible: new sessions always start with a unique
// random id, so that concurrency is not possible and this code path can be skipped.

13
src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
View File

@ -48,6 +48,7 @@ class GuardAuthenticatorHandler
*/
public function authenticateWithToken(TokenInterface $token, Request $request)
{
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@ -108,4 +109,16 @@ class GuardAuthenticatorHandler
is_object($response) ? get_class($response) : gettype($response)
));
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

15
src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php
View File

@ -82,6 +82,9 @@ abstract class AbstractPreAuthenticatedListener implements ListenerInterface
if (null !== $this->logger) {
$this->logger->info('Pre-authentication successful.', array('token' => (string) $token));
}
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@ -114,4 +117,16 @@ abstract class AbstractPreAuthenticatedListener implements ListenerInterface
* @return array An array composed of the user and the credentials
*/
abstract protected function getPreAuthenticatedData(Request $request);
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

16
src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php
View File

@ -11,6 +11,7 @@
namespace Symfony\Component\Security\Http\Firewall;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
@ -70,6 +71,9 @@ class BasicAuthenticationListener implements ListenerInterface
try {
$token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
} catch (AuthenticationException $e) {
$token = $this->tokenStorage->getToken();
@ -88,4 +92,16 @@ class BasicAuthenticationListener implements ListenerInterface
$event->setResponse($this->authenticationEntryPoint->start($request, $e));
}
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

16
src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php
View File

@ -11,6 +11,7 @@
namespace Symfony\Component\Security\Http\Firewall;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@ -77,6 +78,9 @@ class SimplePreAuthenticationListener implements ListenerInterface
}
$token = $this->authenticationManager->authenticate($token);
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@ -111,4 +115,16 @@ class SimplePreAuthenticationListener implements ListenerInterface
}
}
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

13
src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
View File

@ -139,6 +139,8 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
$this->logger->info('User has been authenticated successfully.', array('username' => $token->getUsername()));
}
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->eventDispatcher) {
@ -182,4 +184,15 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
return $response;
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

8
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php
View File

@ -47,7 +47,13 @@ class SessionAuthenticationStrategy implements SessionAuthenticationStrategyInte
return;
case self::MIGRATE:
$request->getSession()->migrate(true);
// Note: this logic is duplicated in several authentication listeners
// until Symfony 5.0 due to a security fix with BC compat
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
return;

4
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php
View File

@ -27,8 +27,8 @@ interface SessionAuthenticationStrategyInterface
/**
* This performs any necessary changes to the session.
*
* This method is called before the TokenStorage is populated with a
* Token, and only by classes inheriting from AbstractAuthenticationListener.
* This method should be called before the TokenStorage is populated with a
* Token. It should be used by authentication listeners when a session is used.
*/
public function onAuthentication(Request $request, TokenInterface $token);
}