Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Avoid failing when PersistentRememberMeHandler handles a malformed cookie#60379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:6.4fromSeldaek:patch-33
May 9, 2025

Conversation

Seldaek
Copy link
Member

QA
Branch?6.4
Bug fix?yes
New feature?no
Deprecations?no
IssuesFix #...
LicenseMIT

If the remember me cookie is malformed like"foo" then the page crashes due tohttps://github.com/symfony/symfony/blob/7.3/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php#L39

Not a huge deal but not very elegant

@xabbuh
Copy link
Member

Can we cover this case with a test?

@Seldaek
Copy link
MemberAuthor

Added a test yes. I think looking a bit more at what happens the flow is like this:

  • RememberMeAuthenticator::authenticate attempts to read the cookie, that throws an AuthenticationException which fails the login
  • RememberMeListener handles the LoginFailureEvent and calls clearRememberMeCookie
  • the clearing tries to read the cookie first and that throws if it is malformed (fixed by this PR so it is caught and the cookie is cleared without failure, the persistent data is not cleared obviously as we cannot map any persistent data from a malformed cookie)
xabbuh reacted with heart emoji

@carsonbotcarsonbot changed the titleAvoid failing when PersistentRememberMeHandler handles a malformed cookie[Security] Avoid failing when PersistentRememberMeHandler handles a malformed cookieMay 8, 2025
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Just one minor CS fix, thanks for the patch and the explanation.

$rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
try {
$rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
} catch (AuthenticationException $e) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
}catch (AuthenticationException$e) {
}catch (AuthenticationException) {

@fabpot
Copy link
Member

Thank you@Seldaek.

@fabpotfabpot merged commitec1e4a2 intosymfony:6.4May 9, 2025
10 checks passed
@fabpotfabpot mentioned this pull requestMay 10, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@fabpotfabpotfabpot approved these changes

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@xabbuhxabbuhxabbuh approved these changes

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees
No one assigned
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.

6 participants
@Seldaek@xabbuh@fabpot@nicolas-grekas@OskarStark@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp