Skip to content

[Security\Http] Prevent canceled remember-me cookie from being accepted #35239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Jan 8, 2020
Merged

[Security\Http] Prevent canceled remember-me cookie from being accepted #35239

nicolas-grekas merged 1 commit into from
Jan 8, 2020

Conversation

@chalasr
Copy link
Member

@chalasr chalasr commented Jan 6, 2020

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #35198
License MIT
Doc PR -

RememberMeServices::autoLogin() only checks that the cookie exists in $request->cookies while loginFail() only alter $request->attributes (which allows child implementations to read the canceled cookie for e.g. removing a persistent one).
This makes autoLogin() checks for request->attributes first, which fixes the linked issue.

Failure expected on deps=high build.

@chalasr chalasr added the Bug label Jan 6, 2020
@chalasr chalasr added this to the 3.4 milestone Jan 6, 2020
@chalasr chalasr mentioned this pull request Jan 7, 2020
Closed
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Jan 8, 2020

Thank you @chalasr.

nicolas-grekas added a commit that referenced this pull request Jan 8, 2020
@nicolas-grekas
bug #35239 [Security\Http] Prevent canceled remember-me cookie from b…
fd19bd7 
…eing accepted (chalasr)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security\Http] Prevent canceled remember-me cookie from being accepted

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #35198
| License       | MIT
| Doc PR        | -

`RememberMeServices::autoLogin()` only checks that the cookie exists in `$request->cookies` while `loginFail()` only alter `$request->attributes` (which allows child implementations to read the canceled cookie for e.g. removing a persistent one).
This makes `autoLogin()` checks for `request->attributes` first, which fixes the linked issue.

Failure expected on deps=high build.

Commits
-------

9b711b8 [Security] Prevent canceled remember-me cookie from being accepted
@nicolas-grekas nicolas-grekas merged commit 9b711b8 into symfony:3.4 Jan 8, 2020
@chalasr chalasr deleted the skip-rememberme-deauth branch January 8, 2020 19:17
This was referenced Jan 21, 2020
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees

No one assigned

Labels

Bug Status: Reviewed

Projects

None yet

Milestone

3.4

Development

Successfully merging this pull request may close these issues.

3 participants

@chalasr @nicolas-grekas @carsonbot