From c003b7a247296e7fdcfb20c2eb175cfb7aaf3c4e Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Thu, 11 Jan 2018 10:05:15 +0100
Subject: [PATCH] [SecurityBundle] Fail if security.http_utils cannot be
 configured

---
 .../Compiler/AddSessionDomainConstraintPass.php     |  3 ++-
 .../Bundle/SecurityBundle/SecurityBundle.php        |  2 +-
 .../Compiler/AddSessionDomainConstraintPassTest.php | 13 +++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
index 3dd18944de9f..ba523382b66b 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php
@@ -26,7 +26,7 @@ class AddSessionDomainConstraintPass implements CompilerPassInterface
      */
     public function process(ContainerBuilder $container)
     {
-        if (!$container->hasParameter('session.storage.options') || !$container->has('security.http_utils')) {
+        if (!$container->hasParameter('session.storage.options')) {
             return;
         }
 
@@ -34,6 +34,7 @@ public function process(ContainerBuilder $container)
         $domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
         $domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;
 
+        // if the service doesn't exist, an exception must be thrown - ignoring would put security at risk
         $container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
index 80ccb554ed73..137558569bc2 100644
--- a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
+++ b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -50,7 +50,7 @@ public function build(ContainerBuilder $container)
 
         $extension->addUserProviderFactory(new InMemoryFactory());
         $container->addCompilerPass(new AddSecurityVotersPass());
-        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_AFTER_REMOVING);
+        $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);
         $container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
index 7d49ad3dd4ec..e12f3a64f31f 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
@@ -96,6 +96,19 @@ public function testNoSession()
         $this->assertTrue($utils->createRedirectResponse($request, 'http://pirate.com/foo')->isRedirect('http://pirate.com/foo'));
     }
 
+    /**
+     * @expectedException \Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException
+     * @expectedExceptionMessage You have requested a non-existent service "security.http_utils".
+     */
+    public function testNoHttpUtils()
+    {
+        $container = new ContainerBuilder();
+        $container->setParameter('session.storage.options', array());
+
+        $pass = new AddSessionDomainConstraintPass();
+        $pass->process($container);
+    }
+
     private function createContainer($sessionStorageOptions)
     {
         $container = new ContainerBuilder();