Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commiteff9b52

Browse files
minor#59558 [Security] Unset token roles when serializing it and user implements EquatableInterface (nicolas-grekas)
This PR was merged into the 7.3 branch.Discussion----------[Security] Unset token roles when serializing it and user implements EquatableInterface| Q | A| ------------- | ---| Branch? | 7.3| Bug fix? | no| New feature? | no| Deprecations? | no| Issues | -| License | MITWhen the user object implement EquatableInterface, we never read the roles stored in the token object that wraps the user in the session storage.This PR ensures we don't store these roles either - they're just wasting space.Commits-------b7c55c8 [Security] Unset token roles when serializing it and user implements EquatableInterface
2 parents909c1fe +b7c55c8 commiteff9b52

File tree

3 files changed

+25
-10
lines changed

3 files changed

+25
-10
lines changed

‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
namespaceSymfony\Component\Security\Core\Authentication\Token;
1313

14+
useSymfony\Component\Security\Core\User\EquatableInterface;
1415
useSymfony\Component\Security\Core\User\InMemoryUser;
1516
useSymfony\Component\Security\Core\User\UserInterface;
1617

@@ -23,24 +24,24 @@
2324
abstractclass AbstractTokenimplements TokenInterface, \Serializable
2425
{
2526
private ?UserInterface$user =null;
26-
privatearray$roleNames = [];
27+
privatearray$roleNames;
2728
privatearray$attributes = [];
2829

2930
/**
3031
* @param string[] $roles An array of roles
31-
*
32-
* @throws \InvalidArgumentException
3332
*/
3433
publicfunction__construct(array$roles = [])
3534
{
35+
$this->roleNames = [];
36+
3637
foreach ($rolesas$role) {
37-
$this->roleNames[] =$role;
38+
$this->roleNames[] =(string)$role;
3839
}
3940
}
4041

4142
publicfunctiongetRoleNames():array
4243
{
43-
return$this->roleNames;
44+
return$this->roleNames ??=self::__construct($this->user->getRoles()) ??$this->roleNames;
4445
}
4546

4647
publicfunctiongetUserIdentifier():string
@@ -82,7 +83,13 @@ public function eraseCredentials(): void
8283
*/
8384
publicfunction__serialize():array
8485
{
85-
return [$this->user,true,null,$this->attributes,$this->roleNames];
86+
$data = [$this->user,true,null,$this->attributes];
87+
88+
if (!$this->userinstanceof EquatableInterface) {
89+
$data[] =$this->roleNames;
90+
}
91+
92+
return$data;
8693
}
8794

8895
/**
@@ -103,7 +110,12 @@ public function __serialize(): array
103110
*/
104111
publicfunction__unserialize(array$data):void
105112
{
106-
[$user, , ,$this->attributes,$this->roleNames] =$data;
113+
[$user, , ,$this->attributes] =$data;
114+
115+
if (\array_key_exists(4,$data)) {
116+
$this->roleNames =$data[4];
117+
}
118+
107119
$this->user =\is_string($user) ?newInMemoryUser($user,'',$this->roleNames,false) :$user;
108120
}
109121

‎src/Symfony/Component/Security/Core/Tests/Exception/CustomUserMessageAuthenticationExceptionTest.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ public function testSharedSerializedData()
5353
$exception->setSafeMessage('message', ['token' =>$token]);
5454

5555
$processed =unserialize(serialize($exception));
56+
$this->assertSame($token->getRoleNames(),$processed->getToken()->getRoleNames());
5657
$this->assertEquals($token,$processed->getToken());
5758
$this->assertEquals($token,$processed->getMessageData()['token']);
5859
$this->assertSame($processed->getToken(),$processed->getMessageData()['token']);
@@ -67,6 +68,7 @@ public function testSharedSerializedDataFromChild()
6768
$exception->setToken($token);
6869

6970
$processed =unserialize(serialize($exception));
71+
$this->assertSame($token->getRoleNames(),$processed->getToken()->getRoleNames());
7072
$this->assertEquals($token,$processed->childMember);
7173
$this->assertEquals($token,$processed->getToken());
7274
$this->assertSame($processed->getToken(),$processed->childMember);

‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -308,11 +308,12 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
308308
}
309309
}
310310

311-
$userRoles =array_map('strval',$refreshedUser->getRoles());
311+
$refreshedRoles =array_map('strval',$refreshedUser->getRoles());
312+
$originalRoles =$refreshedToken->getRoleNames();// This comes from cloning the original token, so it still contains the roles of the original user
312313

313314
if (
314-
\count($userRoles) !==\count($refreshedToken->getRoleNames())
315-
||\count($userRoles) !==\count(array_intersect($userRoles,$refreshedToken->getRoleNames()))
315+
\count($refreshedRoles) !==\count($originalRoles)
316+
||\count($refreshedRoles) !==\count(array_intersect($refreshedRoles,$originalRoles))
316317
) {
317318
returntrue;
318319
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp