Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security\Http] Prevent canceled remember-me cookie from being accepted #35239

Merged
merged 1 commit into from Jan 8, 2020

Conversation

@chalasr
Copy link
Member

chalasr commented Jan 6, 2020

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #35198
License MIT
Doc PR -

RememberMeServices::autoLogin() only checks that the cookie exists in $request->cookies while loginFail() only alter $request->attributes (which allows child implementations to read the canceled cookie for e.g. removing a persistent one).
This makes autoLogin() checks for request->attributes first, which fixes the linked issue.

Failure expected on deps=high build.

@nicolas-grekas

This comment has been minimized.

Copy link
Member

nicolas-grekas commented Jan 8, 2020

Thank you @chalasr.

nicolas-grekas added a commit that referenced this pull request Jan 8, 2020
…eing accepted (chalasr)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security\Http] Prevent canceled remember-me cookie from being accepted

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #35198
| License       | MIT
| Doc PR        | -

`RememberMeServices::autoLogin()` only checks that the cookie exists in `$request->cookies` while `loginFail()` only alter `$request->attributes` (which allows child implementations to read the canceled cookie for e.g. removing a persistent one).
This makes `autoLogin()` checks for `request->attributes` first, which fixes the linked issue.

Failure expected on deps=high build.

Commits
-------

9b711b8 [Security] Prevent canceled remember-me cookie from being accepted
@nicolas-grekas nicolas-grekas merged commit 9b711b8 into symfony:3.4 Jan 8, 2020
1 of 3 checks passed
1 of 3 checks passed
continuous-integration/appveyor/pr AppVeyor build failed
Details
continuous-integration/travis-ci/pr The Travis CI build failed
Details
fabbot.io Your code looks good.
Details
@chalasr chalasr deleted the chalasr:skip-rememberme-deauth branch Jan 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.