bug #35335 [Security] Fix RememberMe with null password (jderusse)

This PR was merged into the 5.0 branch. Discussion ---------- [Security] Fix RememberMe with null password | Q | A | ------------- | --- | Branch? | 5.0 | Bug fix? | yes | New feature? | no | Deprecations? | yes | Tickets | NA | License | MIT | Doc PR | NA From `UserInterface` the method getPassword may return null, while generateCookieHash requires a string. This PR changes the signature of the methods to allows null password Commits ------- a7d0d82 Fix RememberMe with null password
symfony · Jan 20, 2020 · 940bba0 · 940bba0
2 parents 0dcf2fc + a7d0d82
commit 940bba0
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
@@ -91,12 +91,12 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
     /**
      * Generates the cookie value.
      *
-     * @param int    $expires  The Unix timestamp when the cookie expires
-     * @param string $password The encoded password
+     * @param int         $expires  The Unix timestamp when the cookie expires
+     * @param string|null $password The encoded password
      *
      * @return string
      */
-    protected function generateCookieValue(string $class, string $username, int $expires, string $password)
+    protected function generateCookieValue(string $class, string $username, int $expires, ?string $password)
     {
         // $username is encoded because it might contain COOKIE_DELIMITER,
         // we assume other values don't
@@ -111,12 +111,12 @@ protected function generateCookieValue(string $class, string $username, int $exp
     /**
      * Generates a hash for the cookie to ensure it is not being tampered with.
      *
-     * @param int    $expires  The Unix timestamp when the cookie expires
-     * @param string $password The encoded password
+     * @param int         $expires  The Unix timestamp when the cookie expires
+     * @param string|null $password The encoded password
      *
      * @return string
      */
-    protected function generateCookieHash(string $class, string $username, int $expires, string $password)
+    protected function generateCookieHash(string $class, string $username, int $expires, ?string $password)
     {
         return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
     }