Skip to content

[SecurityBundle] fix accepting env vars in remember-me configurations #36483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Apr 18, 2020
Merged

[SecurityBundle] fix accepting env vars in remember-me configurations #36483

nicolas-grekas merged 1 commit into from
Apr 18, 2020

Conversation

@zek
Copy link
Contributor

@zek zek commented Apr 17, 2020

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #36271
License MIT
Doc PR -

As @wouterj explained we cannot use env variables after #35910 merged.

Hmm, so I'm guessing this is what happens:

  • lifetime is now an integerNode()
  • For the Config component (which IIRC doesn't know anything about env variables), you're passing a string: "%env(int:REMEMBER_ME_COOKIE_LIFETIME)%"
  • This throws an error, although if it wouldn't, the DI component would sucessfully process the string into a integer before it's used by any PHP class.

So we either make Config aware of environment variables (that's probably a huge feature) or we revert the integerNode() changes (as you suggested).

@HeahDude am I mislooking something, or would reverting these 2 lines not result in much harm? (only a little less strict config processor)

@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Apr 17, 2020
nicolas-grekas
nicolas-grekas reviewed Apr 17, 2020
View reviewed changes
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php Outdated
->booleanNode('catch_exceptions')->defaultTrue()->end()
;

// Be carefull! We should call scalarNode otherwise can't use `env variables` in configuration.
Copy link
Member

@nicolas-grekas nicolas-grekas Apr 17, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be removed and replaced by a non-regression test instead :)

@nicolas-grekas nicolas-grekas changed the title [Security] Revert Changes that causes bug [Security] fix accepting env vars in remember_me configurations Apr 18, 2020
@nicolas-grekas nicolas-grekas changed the title [Security] fix accepting env vars in remember_me configurations [Security] fix accepting env vars in remember-me configurations Apr 18, 2020
@nicolas-grekas nicolas-grekas changed the title [Security] fix accepting env vars in remember-me configurations [SecurityBundle] fix accepting env vars in remember-me configurations Apr 18, 2020
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Apr 18, 2020

Thank you @zek.

@nicolas-grekas nicolas-grekas merged commit a347a84 into symfony:3.4 Apr 18, 2020
This was referenced Apr 28, 2020
Merged
Merged
Merged
@zek zek deleted the 3.4 branch June 22, 2020 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

Assignees

No one assigned

Labels

Bug Security Status: Needs Review

Projects

None yet

Milestone

3.4

Development

Successfully merging this pull request may close these issues.

3 participants

@zek @nicolas-grekas @carsonbot