Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Fix valid remember-me token exposure to the second consequent request#47488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

@zerkms
Copy link
Contributor

@zerkmszerkms commentedSep 4, 2022
edited
Loading

Close#42343
Fix#46760

QA
Branch?5.4
Bug fix?yes
New feature?no
Deprecations?no
TicketsFix#42343,Fix#46760
LicenseMIT
Doc PRsymfony/symfony-docs#...

#46760 PR together with a fix produces a security vulnerability when a malicious actor may get anew and valid remember me token if makes a request right after the legit user.

@carsonbotcarsonbot added this to the6.2 milestoneSep 4, 2022
@carsonbotcarsonbot changed the titleBug #42343 [Security] Fix valid remember-me token exposure to the second consequent request[Security] Bug #42343 Fix valid remember-me token exposure to the second consequent requestSep 4, 2022
@nicolas-grekasnicolas-grekas changed the title[Security] Bug #42343 Fix valid remember-me token exposure to the second consequent request[Security] Fix valid remember-me token exposure to the second consequent requestSep 5, 2022
@nicolas-grekasnicolas-grekas changed the base branch from6.2 to5.4September 5, 2022 15:55
@nicolas-grekasnicolas-grekas modified the milestones:6.2,5.4Sep 5, 2022
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This change looks correct to me.

2 requests come by at the same time with tokenA:

  • the one that wins the race persists and sends back tokenB
  • the other one accepts tokenA but doesn't send any cookie back, aka tokenB from req 1 stays in the cookie jar.

Unless I missed something, this still fixes the situation that@heiglandreas describes in#46760 while preventing a needless disclosure of the currently valid token to the 2nd request.

/cc@Seldaek in case you want to have a look.

I'm just worried that although this causes a possible security threat,the security disclosure process hasn't been followed appropriately. Please be more careful in the future.

zerkms reacted with heart emoji
@zerkmszerkmsforce-pushed the42343-remember-me-cookie-2nd-request branch from7e9f27c to62cededCompareSeptember 5, 2022 21:24
@nicolas-grekas
Copy link
Member

Thank you@zerkms.

zerkms reacted with hooray emoji

@nicolas-grekasnicolas-grekas merged commit64be67e intosymfony:5.4Sep 8, 2022
This was referencedSep 30, 2022
@heiglandreas
Copy link
Contributor

Throughout the last days I debugged some odd occurrences and was able to track them down to this PR.

I will create a new issue for that so that we can track that accordingly.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@wouterjwouterjAwaiting requested review from wouterj

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees

No one assigned

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

PersistentRememberMeHandler - race condition in returned cookies

4 participants

@zerkms@nicolas-grekas@heiglandreas@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp