From e6e162075df0c2bff2443f9cb45083dc1df00c20 Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Thu, 14 Mar 2019 09:47:00 +0100
Subject: [PATCH] [HttpClient] strengthen bearer validation

---
 src/Symfony/Component/HttpClient/HttpClientTrait.php  |  4 ++--
 .../HttpClient/Tests/HttpClientTraitTest.php          | 11 ++++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/HttpClient/HttpClientTrait.php b/src/Symfony/Component/HttpClient/HttpClientTrait.php
index d3ecafbd4ec8..223eba3e010f 100644
--- a/src/Symfony/Component/HttpClient/HttpClientTrait.php
+++ b/src/Symfony/Component/HttpClient/HttpClientTrait.php
@@ -84,8 +84,8 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
             throw new InvalidArgumentException(sprintf('Option "auth_basic" must be string or an array, %s given.', \gettype($options['auth_basic'])));
         }
 
-        if (!\is_string($options['auth_bearer'] ?? '')) {
-            throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be string, %s given.', \gettype($options['auth_bearer'])));
+        if (isset($options['auth_bearer']) && (!\is_string($options['auth_bearer']) || !preg_match('{^[-._~+/0-9a-zA-Z]++=*+$}', $options['auth_bearer']))) {
+            throw new InvalidArgumentException(sprintf('Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, %s given.', \is_string($options['auth_bearer']) ? 'invalid string' : \gettype($options['auth_bearer'])));
         }
 
         if (isset($options['auth_basic'], $options['auth_bearer'])) {
diff --git a/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php b/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php
index 90062278df0c..37ab4c562252 100644
--- a/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php
+++ b/src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php
@@ -174,13 +174,22 @@ public function testAuthBearerOption()
 
     /**
      * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
-     * @expectedExceptionMessage Option "auth_bearer" must be string, object given.
+     * @expectedExceptionMessage Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, object given.
      */
     public function testInvalidAuthBearerOption()
     {
         self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => new \stdClass()], HttpClientInterface::OPTIONS_DEFAULTS);
     }
 
+    /**
+     * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
+     * @expectedExceptionMessage Option "auth_bearer" must be a string containing only characters from the base 64 alphabet, invalid string given.
+     */
+    public function testInvalidAuthBearerValue()
+    {
+        self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => "a\nb"], HttpClientInterface::OPTIONS_DEFAULTS);
+    }
+
     /**
      * @expectedException \Symfony\Component\HttpClient\Exception\InvalidArgumentException
      * @expectedExceptionMessage Define either the "auth_basic" or the "auth_bearer" option, setting both is not supported.