Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
bug #34788 [SecurityBundle] Properly escape regex in AddSessionDomain…
…ConstraintPass (fancyweb)

This PR was merged into the 3.4 branch.

Discussion
----------

[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | #34774
| License       | MIT
| Doc PR        | -

`%s` should be escaped, so it is dumped as `%%s` (it ends up being properly unescaped at load time, so the passed value to the service is the same).

Commits
-------

de03cee [SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
  • Loading branch information
chalasr committed Dec 6, 2019
2 parents 5807f5f + de03cee commit ae6c5d3
Showing 1 changed file with 1 addition and 1 deletion.
Expand Up @@ -31,7 +31,7 @@ public function process(ContainerBuilder $container)
}

$sessionOptions = $container->getParameter('session.storage.options');
$domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
$domainRegexp = empty($sessionOptions['cookie_domain']) ? '%%s' : sprintf('(?:%%%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
$domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;

$container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));
Expand Down

0 comments on commit ae6c5d3

Please sign in to comment.