Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Skip clearing CSRF Token on stateless logout#50312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Conversation

chalasr
Copy link
Member

QA
Branch?6.2
Bug fix?yes
New feature?no
Deprecations?no
TicketsFix#50310
LicenseMIT
Doc PR-

Not targeting 5.4 LTS as the bug is only breaking on 6.3 although it does exist on prior versions.

@@ -31,6 +32,10 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)

public function onLogout(LogoutEvent $event): void
{
if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What about fixing it inSessionTokenStorage instead?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

UsingSessionTokenStorage without a session has been deprecated in 5.x:

publicfunctionclear()
{
$session =$this->getSession();
foreach (array_keys($session->all())as$key) {
if (str_starts_with($key,$this->namespace.'/')) {
$session->remove($key);
}
}
}
/**
* @throws SessionNotFoundException
*/
privatefunctiongetSession():SessionInterface

Ideally this listener shouldn't be registered for stateless firewalls, problem is that it's not a per-firewall listener but a global one. We should probably change that in another (feature) PR.

@nicolas-grekas
Copy link
Member

Any way to test this?

@nicolas-grekas
Copy link
Member

Thank you@chalasr.

@nicolas-grekasnicolas-grekas merged commit684fdd2 intosymfony:6.2May 19, 2023
@chalasr
Copy link
MemberAuthor

Any way to test this?

Sure, at least something preventing regressions. I'll do!

@chalasrchalasr deleted the skip-csrfclear-stateless branchMay 19, 2023 16:00
chalasr added a commit that referenced this pull requestMay 19, 2023
…tateless logout (chalasr)This PR was merged into the 6.2 branch.Discussion----------[Security] Test `CsrfTokenClearingLogoutListener` with stateless logout| Q             | A| ------------- | ---| Branch?       | 6.2| Bug fix?      | no| New feature?  | no| Deprecations? | no| Tickets       |#50312 (comment)| License       | MIT| Doc PR        | -Commits-------099ba75 [Security] Test `CsrfTokenClearingLogoutListener` with stateless logout
This was referencedMay 22, 2023
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@fabpotfabpotfabpot left review comments

@wouterjwouterjAwaiting requested review from wouterjwouterj is a code owner

Assignees
No one assigned
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.

4 participants
@chalasr@nicolas-grekas@fabpot@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp