Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 2eaa7ee

Browse filesBrowse files
Seldaekfabpot
authored andcommitted
[Security] Avoid failing when PersistentRememberMeHandler handles a malformed cookie
1 parent 1719033 commit 2eaa7ee
Copy full SHA for 2eaa7ee

File tree

Expand file treeCollapse file tree

2 files changed

+22
-1
lines changed
Filter options
Expand file treeCollapse file tree

2 files changed

+22
-1
lines changed

‎src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
+6-1Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,12 @@ public function clearRememberMeCookie(): void
160160
return;
161161
}
162162

163-
$rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
163+
try {
164+
$rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
165+
} catch (AuthenticationException) {
166+
// malformed cookie should not fail the response and can be simply ignored
167+
return;
168+
}
164169
[$series] = explode(':', $rememberMeDetails->getValue());
165170
$this->tokenProvider->deleteTokenBySeries($series);
166171
}

‎src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php
+16Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,22 @@ public function testClearRememberMeCookie()
7474
$this->assertNull($cookie->getValue());
7575
}
7676

77+
public function testClearRememberMeCookieMalformedCookie()
78+
{
79+
$this->tokenProvider->expects($this->exactly(0))
80+
->method('deleteTokenBySeries');
81+
82+
$this->request->cookies->set('REMEMBERME', 'malformed');
83+
84+
$this->handler->clearRememberMeCookie();
85+
86+
$this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
87+
88+
/** @var Cookie $cookie */
89+
$cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
90+
$this->assertNull($cookie->getValue());
91+
}
92+
7793
public function testConsumeRememberMeCookieValid()
7894
{
7995
$this->tokenProvider->expects($this->any())

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.