Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 64be67e

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #47488 [Security] Fix valid remember-me token exposure to the second consequent request (Ivan Kurnosov)
This PR was merged into the 5.4 branch. Discussion ---------- [Security] Fix valid remember-me token exposure to the second consequent request Close #42343 Fix #46760 | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #42343, Fix #46760 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> #46760 PR together with a fix produces a security vulnerability when a malicious actor may get a **new and valid** remember me token if makes a request right after the legit user. Commits ------- 62ceded Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request
2 parents 1af379a + 62ceded commit 64be67e
Copy full SHA for 64be67e

File tree

2 files changed

+3
-15
lines changed
Filter options

2 files changed

+3
-15
lines changed

‎src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
+2-3Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,6 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
7575

7676
if ($this->tokenVerifier) {
7777
$isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
78-
$tokenValue = $persistentToken->getTokenValue();
7978
} else {
8079
$isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);
8180
}
@@ -96,9 +95,9 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
9695
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
9796
}
9897
$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
99-
}
10098

101-
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
99+
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
100+
}
102101
}
103102

104103
/**

‎src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php
+1-12Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -125,18 +125,7 @@ public function testConsumeRememberMeCookieValidByValidatorWithoutUpdate()
125125
$rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:oldTokenValue');
126126
$handler->consumeRememberMeCookie($rememberMeDetails);
127127

128-
// assert that the cookie has been updated with a new base64 encoded token value
129-
$this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
130-
131-
/** @var Cookie $cookie */
132-
$cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
133-
134-
$cookieParts = explode(':', base64_decode($cookie->getValue()), 4);
135-
136-
$this->assertSame(InMemoryUser::class, $cookieParts[0]); // class
137-
$this->assertSame(base64_encode('wouter'), $cookieParts[1]); // identifier
138-
$this->assertSame('360', $cookieParts[2]); // expire
139-
$this->assertSame('series1:tokenvalue', $cookieParts[3]); // value
128+
$this->assertFalse($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
140129
}
141130

142131
public function testConsumeRememberMeCookieInvalidToken()

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.