Fix CVE 2023-25170 on 1.7.8.x

classes/Employee.php

@@ -25,7 +25,9 @@
  */
 use PrestaShop\PrestaShop\Adapter\CoreException;
 use PrestaShop\PrestaShop\Adapter\ServiceLocator;
+use PrestaShop\PrestaShop\Adapter\SymfonyContainer;
 use PrestaShop\PrestaShop\Core\Crypto\Hashing;
+use PrestaShopBundle\Security\Admin\SessionRenewer;
 
 /**
  * Class EmployeeCore.
@@ -491,6 +493,11 @@ public function logout()
             Context::getContext()->cookie->write();
         }
 
+        $sfContainer = SymfonyContainer::getInstance();
+        if ($sfContainer !== null) {
+            $sfContainer->get(SessionRenewer::class)->renew();
+        }
+
         $this->id = null;
     }
 

controllers/admin/AdminLoginController.php

@@ -24,6 +24,7 @@
  * @license   https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
  */
 use PrestaShop\PrestaShop\Core\Util\InternationalizedDomainNameConverter;
+use PrestaShopBundle\Security\Admin\SessionRenewer;
 use Symfony\Component\HttpFoundation\IpUtils;
 
 class AdminLoginControllerCore extends AdminController
@@ -262,6 +263,8 @@ public function processLogin()
                     $url = $this->context->link->getAdminLink($tab->class_name);
                 }
 
+                $this->get(SessionRenewer::class)->renew();
+
                 Hook::exec(
                     'actionAdminLoginControllerLoginAfter',
                     [

src/PrestaShopBundle/Resources/config/services/bundle/services.yml

@@ -114,3 +114,8 @@ services:
     PrestaShopBundle\DependencyInjection\RuntimeConstEnvVarProcessor:
         public: false
         tags: ['container.env_var_processor']
+
+    PrestaShopBundle\Security\Admin\SessionRenewer:
+        arguments:
+            $storage: "@security.csrf.token_storage"
+        autowire: true

src/PrestaShopBundle/Security/Admin/SessionRenewer.php

@@ -0,0 +1,76 @@
+<?php
+/**
+ * Copyright since 2007 PrestaShop SA and Contributors
+ * PrestaShop is an International Registered Trademark & Property of PrestaShop SA
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.md.
+ * It is also available through the world-wide-web at this URL:
+ * https://opensource.org/licenses/OSL-3.0
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@prestashop.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+ * versions in the future. If you wish to customize PrestaShop for your
+ * needs please refer to https://devdocs.prestashop.com/ for more information.
+ *
+ * @author    PrestaShop SA and Contributors <contact@prestashop.com>
+ * @copyright Since 2007 PrestaShop SA and Contributors
+ * @license   https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
+ */
+
+declare(strict_types=1);
+
+namespace PrestaShopBundle\Security\Admin;
+
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
+
+/**
+ * Because PS don't use Symfony login feature, we use this service to fix CVE-2022-24895. This class will be deprecated
+ * when BO login/logout will use full Symfony process
+ *
+ * @internal
+ */
+final class SessionRenewer
+{
+    /**
+     * @var ClearableTokenStorageInterface
+     */
+    private $storage;
+
+    /**
+     * @var SessionInterface
+     */
+    private $session;
+
+    /**
+     * @param ClearableTokenStorageInterface $storage
+     * @param SessionInterface $session
+     */
+    public function __construct(ClearableTokenStorageInterface $storage, SessionInterface $session)
+    {
+        $this->storage = $storage;
+        $this->session = $session;
+    }
+
+    /**
+     * Change PHPSESSID and clear tokens registered in session
+     *
+     * @return void
+     */
+    public function renew(): void
+    {
+        if (!$this->session->isStarted()) {
+            $this->session->start();
+        }
+
+        $this->session->migrate(true);
+        $this->storage->clear();
+    }
+}

tests/Integration/PrestaShopBundle/Admin/Security/SessionRenewerTest.php

@@ -0,0 +1,73 @@
+<?php
+/**
+ * Copyright since 2007 PrestaShop SA and Contributors
+ * PrestaShop is an International Registered Trademark & Property of PrestaShop SA
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.md.
+ * It is also available through the world-wide-web at this URL:
+ * https://opensource.org/licenses/OSL-3.0
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@prestashop.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+ * versions in the future. If you wish to customize PrestaShop for your
+ * needs please refer to https://devdocs.prestashop.com/ for more information.
+ *
+ * @author    PrestaShop SA and Contributors <contact@prestashop.com>
+ * @copyright Since 2007 PrestaShop SA and Contributors
+ * @license   https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
+ */
+
+declare(strict_types=1);
+
+namespace Tests\Integration\PrestaShopBundle\Admin\Security;
+
+use PrestaShopBundle\Security\Admin\SessionRenewer;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Security\Csrf\CsrfTokenManager;
+
+class SessionRenewerTest extends KernelTestCase
+{
+    /**
+     * @var CsrfTokenManager
+     */
+    private $sessionTokenManager;
+
+    /**
+     * @var SessionInterface
+     */
+    private $session;
+
+    /**
+     * @var object|SessionRenewer|null
+     */
+    private $sessionRenewer;
+
+    protected function setUp(): void
+    {
+        self::bootKernel();
+        $container = self::$kernel->getContainer();
+        $this->sessionTokenManager = $container->get('security.csrf.token_manager');
+        $this->session = $container->get('session');
+        $this->sessionRenewer = $container->get(SessionRenewer::class);
+    }
+
+    public function testRenew(): void
+    {
+        $this->session->start();
+        $originalSessionId = $this->session->getId();
+        $tokenValue = $this->sessionTokenManager->getToken('foo')->getValue();
+        self::assertEquals($originalSessionId, $this->session->getId());
+        self::assertEquals($tokenValue, $this->sessionTokenManager->getToken('foo')->getValue());
+        $this->sessionRenewer->renew();
+        self::assertNotEquals($originalSessionId, $this->session->getId());
+        self::assertNotEquals($tokenValue, $this->sessionTokenManager->getToken('foo')->getValue());
+    }
+}