hhamon
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 4 additions & 2 deletions b/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 2 additions & 6 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 2 additions & 6 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/Log/DebugLoggerConfigurator.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/HttpKernel/Log/DebugLoggerConfigurator.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
Lines changed: 17 additions & 3 deletions b/‎src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
Lines changed: 17 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
Lines changed: 39 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
Lines changed: 39 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Serializer/NameConverter/MetadataAwareNameConverter.php
Lines changed: 6 additions & 3 deletions b/‎src/Symfony/Component/Serializer/NameConverter/MetadataAwareNameConverter.php
Lines changed: 6 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
Lines changed: 5 additions & 3 deletions b/‎src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
Lines changed: 5 additions & 3 deletions
@@ -31,8 +31,10 @@ CHANGELOG
  * Deprecate not setting the `framework.php_errors.log` config option; it will default to `true` in 7.0
  * Deprecate not setting the `framework.session.cookie_secure` config option; it will default to `auto` in 7.0
  * Deprecate not setting the `framework.session.cookie_samesite` config option; it will default to `lax` in 7.0
- * Deprecate not setting the `framework.session.handler_id` config option; it will default to `session.handler.native_file` when `framework.session.save_path` is set or `null` otherwise in 7.0
- * Deprecate not setting the `framework.session.save_path` config option when `framework.session.handler_id` is not set; it will default to `null` in 7.0
+ * Deprecate not setting either `framework.session.handler_id` or `save_path` config options; `handler_id` will
+   default to null in 7.0 if `save_path` is not set and to `session.handler.native_file` otherwise
+ * Deprecate not setting the `framework.session.handler_id` config option; it will default to null,
+   unless `save_path` is set, which will make it default to `session.handler.native_file` in 7.0
  * Deprecate not setting the `framework.uid.default_uuid_version` config option; it will default to `7` in 7.0
  * Deprecate not setting the `framework.uid.time_based_uuid_version` config option; it will default to `7` in 7.0
  * Deprecate not setting the `framework.validation.email_validation_mode` config option; it will default to `html5` in 7.0
 
@@ -660,12 +660,8 @@ private function addSessionSection(ArrayNodeDefinition $rootNode): void
                             trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.cookie_samesite" config option is deprecated. It will default to "lax" in 7.0.');
                         }
 
-                        if (!\array_key_exists('handler_id', $v['session'])) {
-                            if (!\array_key_exists('save_path', $v['session'])) {
-                                trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.save_path" config option when the "framework.session.handler_id" config option is not set either is deprecated. Both options will default to "null" in 7.0.');
-                            } else {
-                                trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.handler_id" config option is deprecated. It will default to "session.handler.native_file" when "framework.session.save_path" is set or "null" otherwise in 7.0.');
-                            }
+                        if (!\array_key_exists('handler_id', $v['session']) && !\array_key_exists('handler_id', $v['save_path'])) {
+                            trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting either "framework.session.handler_id" or "save_path" config options is deprecated; "handler_id" will default to null in 7.0 if "save_path" is not set and to "session.handler.native_file" otherwise.');
                         }
                     }
 
 
@@ -76,6 +76,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             $container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)
                 ->addArgument(new Reference('limiter.'.$globalId))
                 ->addArgument(new Reference('limiter.'.$localId))
+                ->addArgument('%kernel.secret%')
             ;
         }
 
 
@@ -22,7 +22,7 @@ class DebugLoggerConfigurator
 
     public function __construct(DebugLoggerInterface $processor, bool $enable = null)
     {
-        if ($enable ?? \in_array(\PHP_SAPI, ['cli', 'phpdbg'], true)) {
+        if ($enable ?? !\in_array(\PHP_SAPI, ['cli', 'phpdbg'], true)) {
             $this->processor = $processor;
         }
     }
 
@@ -131,6 +131,10 @@ private function getCredentials(Request $request): array
 
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
 
+        if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
+        }
+
         return $credentials;
     }
 
 
@@ -28,11 +28,20 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
 {
     private RateLimiterFactory $globalFactory;
     private RateLimiterFactory $localFactory;
+    private string $secret;
 
-    public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory)
+    /**
+     * @param non-empty-string $secret A secret to use for hashing the IP address and username
+     */
+    public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret = '')
     {
+        if ('' === $secret) {
+            trigger_deprecation('symfony/security-http', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Security\Core\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
         $this->globalFactory = $globalFactory;
         $this->localFactory = $localFactory;
+        $this->secret = $secret;
     }
 
     protected function getLimiters(Request $request): array
@@ -41,8 +50,13 @@ protected function getLimiters(Request $request): array
         $username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
 
         return [
-            $this->globalFactory->create($request->getClientIp()),
-            $this->localFactory->create($username.'-'.$request->getClientIp()),
+            $this->globalFactory->create($this->hash($request->getClientIp())),
+            $this->localFactory->create($this->hash($username.'-'.$request->getClientIp())),
         ];
     }
+
+    private function hash(string $data): string
+    {
+        return strtr(substr(base64_encode(hash_hmac('sha256', $data, $this->secret, true)), 0, 8), '/+', '._');
+    }
 }
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
 
@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
         $this->authenticator->authenticate($request);
     }
 
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithArray(bool $postOnly)
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $this->authenticator->authenticate($request);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithToString(bool $postOnly)
+    {
+        $passwordObject = new class() {
+            public function __toString()
+            {
+                return 's$cr$t';
+            }
+        };
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $passport = $this->authenticator->authenticate($request);
+
+        /** @var PasswordCredentials $credentialsBadge */
+        $credentialsBadge = $passport->getBadge(PasswordCredentials::class);
+        $this->assertSame('s$cr$t', $credentialsBadge->getPassword());
+    }
+
     public static function postOnlyDataProvider()
     {
         yield [true];
 
@@ -47,7 +47,7 @@ protected function setUp(): void
             'limit' => 6,
             'interval' => '1 minute',
         ], new InMemoryStorage());
-        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);
+        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7');
 
         $this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
     }
 
@@ -127,11 +127,14 @@ private function getCacheValueForAttributesMetadata(string $class, array $contex
                 throw new LogicException(sprintf('Found SerializedName and SerializedPath annotations on property "%s" of class "%s".', $name, $class));
             }
 
-            $groups = $metadata->getGroups();
-            if (!$groups && ($context[AbstractNormalizer::GROUPS] ?? [])) {
+            $metadataGroups = $metadata->getGroups();
+            $contextGroups = (array) ($context[AbstractNormalizer::GROUPS] ?? []);
+
+            if ($contextGroups && !$metadataGroups) {
                 continue;
             }
-            if ($groups && !array_intersect($groups, (array) ($context[AbstractNormalizer::GROUPS] ?? []))) {
+
+            if ($metadataGroups && !array_intersect($metadataGroups, $contextGroups) && !\in_array('*', $contextGroups, true)) {
                 continue;
             }
 
 
@@ -302,13 +302,15 @@ public function denormalize(mixed $data, string $type, string $format = null, ar
         $mappedClass = $this->getMappedClass($normalizedData, $type, $context);
 
         $nestedAttributes = $this->getNestedAttributes($mappedClass);
-        $nestedData = [];
+        $nestedData = $originalNestedData = [];
         $propertyAccessor = PropertyAccess::createPropertyAccessor();
         foreach ($nestedAttributes as $property => $serializedPath) {
             if (null === $value = $propertyAccessor->getValue($normalizedData, $serializedPath)) {
                 continue;
             }
-            $nestedData[$property] = $value;
+            $convertedProperty = $this->nameConverter ? $this->nameConverter->normalize($property, $mappedClass, $format, $context) : $property;
+            $nestedData[$convertedProperty] = $value;
+            $originalNestedData[$property] = $value;
             $normalizedData = $this->removeNestedValue($serializedPath->getElements(), $normalizedData);
         }
 
@@ -321,7 +323,7 @@ public function denormalize(mixed $data, string $type, string $format = null, ar
             if ($this->nameConverter) {
                 $notConverted = $attribute;
                 $attribute = $this->nameConverter->denormalize($attribute, $resolvedClass, $format, $context);
-                if (isset($nestedData[$notConverted]) && !isset($nestedData[$attribute])) {
+                if (isset($nestedData[$notConverted]) && !isset($originalNestedData[$attribute])) {
                     throw new LogicException(sprintf('Duplicate values for key "%s" found. One value is set via the SerializedPath annotation: "%s", the other one is set via the SerializedName annotation: "%s".', $notConverted, implode('->', $nestedAttributes[$notConverted]->getElements()), $attribute));
                 }
             }
Original file line number	Diff line number	Diff line change
`@@ -660,12 +660,8 @@ private function addSessionSection(ArrayNodeDefinition $rootNode): void`
`660`	`660`	`trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.cookie_samesite" config option is deprecated. It will default to "lax" in 7.0.');`
`661`	`661`	`}`
`662`	`662`
`663`		`- if (!\array_key_exists('handler_id', $v['session'])) {`
`664`		`- if (!\array_key_exists('save_path', $v['session'])) {`
`665`		`- trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.save_path" config option when the "framework.session.handler_id" config option is not set either is deprecated. Both options will default to "null" in 7.0.');`
`666`		`- } else {`
`667`		`- trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting the "framework.session.handler_id" config option is deprecated. It will default to "session.handler.native_file" when "framework.session.save_path" is set or "null" otherwise in 7.0.');`
`668`		`- }`
	`663`	`+ if (!\array_key_exists('handler_id', $v['session']) && !\array_key_exists('handler_id', $v['save_path'])) {`
	`664`	`+ trigger_deprecation('symfony/framework-bundle', '6.4', 'Not setting either "framework.session.handler_id" or "save_path" config options is deprecated; "handler_id" will default to null in 7.0 if "save_path" is not set and to "session.handler.native_file" otherwise.');`
`669`	`665`	`}`
`670`	`666`	`}`
`671`	`667`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal`
`76`	`76`	`$container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)`
`77`	`77`	`->addArgument(new Reference('limiter.'.$globalId))`
`78`	`78`	`->addArgument(new Reference('limiter.'.$localId))`
	`79`	`+ ->addArgument('%kernel.secret%')`
`79`	`80`	`;`
`80`	`81`	`}`
`81`	`82`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class DebugLoggerConfigurator`
`22`	`22`
`23`	`23`	`public function __construct(DebugLoggerInterface $processor, bool $enable = null)`
`24`	`24`	`{`
`25`		`- if ($enable ?? \in_array(\PHP_SAPI, ['cli', 'phpdbg'], true)) {`
	`25`	`+ if ($enable ?? !\in_array(\PHP_SAPI, ['cli', 'phpdbg'], true)) {`
`26`	`26`	`$this->processor = $processor;`
`27`	`27`	`}`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,10 @@ private function getCredentials(Request $request): array`
`131`	`131`
`132`	`132`	`$request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);`
`133`	`133`
	`134`	`+ if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) \|\| !method_exists($credentials['password'], '__toString'))) {`
	`135`	`+ throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));`
	`136`	`+ }`
	`137`	`+`
`134`	`138`	`return $credentials;`
`135`	`139`	`}`
`136`	`140`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ protected function setUp(): void`
`47`	`47`	`'limit' => 6,`
`48`	`48`	`'interval' => '1 minute',`
`49`	`49`	`], new InMemoryStorage());`
`50`		`- $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);`
	`50`	`+ $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7');`
`51`	`51`
`52`	`52`	`$this->listener = new LoginThrottlingListener($this->requestStack, $limiter);`
`53`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -127,11 +127,14 @@ private function getCacheValueForAttributesMetadata(string $class, array $contex`
`127`	`127`	`throw new LogicException(sprintf('Found SerializedName and SerializedPath annotations on property "%s" of class "%s".', $name, $class));`
`128`	`128`	`}`
`129`	`129`
`130`		`- $groups = $metadata->getGroups();`
`131`		`- if (!$groups && ($context[AbstractNormalizer::GROUPS] ?? [])) {`
	`130`	`+ $metadataGroups = $metadata->getGroups();`
	`131`	`+ $contextGroups = (array) ($context[AbstractNormalizer::GROUPS] ?? []);`
	`132`	`+`
	`133`	`+ if ($contextGroups && !$metadataGroups) {`
`132`	`134`	`continue;`
`133`	`135`	`}`
`134`		`- if ($groups && !array_intersect($groups, (array) ($context[AbstractNormalizer::GROUPS] ?? []))) {`
	`136`	`+`
	`137`	`+ if ($metadataGroups && !array_intersect($metadataGroups, $contextGroups) && !\in_array('*', $contextGroups, true)) {`
`135`	`138`	`continue;`
`136`	`139`	`}`
`137`	`140`
Original file line number	Diff line number	Diff line change
`@@ -302,13 +302,15 @@ public function denormalize(mixed $data, string $type, string $format = null, ar`
`302`	`302`	`$mappedClass = $this->getMappedClass($normalizedData, $type, $context);`
`303`	`303`
`304`	`304`	`$nestedAttributes = $this->getNestedAttributes($mappedClass);`
`305`		`- $nestedData = [];`
	`305`	`+ $nestedData = $originalNestedData = [];`
`306`	`306`	`$propertyAccessor = PropertyAccess::createPropertyAccessor();`
`307`	`307`	`foreach ($nestedAttributes as $property => $serializedPath) {`
`308`	`308`	`if (null === $value = $propertyAccessor->getValue($normalizedData, $serializedPath)) {`
`309`	`309`	`continue;`
`310`	`310`	`}`
`311`		`- $nestedData[$property] = $value;`
	`311`	`+ $convertedProperty = $this->nameConverter ? $this->nameConverter->normalize($property, $mappedClass, $format, $context) : $property;`
	`312`	`+ $nestedData[$convertedProperty] = $value;`
	`313`	`+ $originalNestedData[$property] = $value;`
`312`	`314`	`$normalizedData = $this->removeNestedValue($serializedPath->getElements(), $normalizedData);`
`313`	`315`	`}`
`314`	`316`
`@@ -321,7 +323,7 @@ public function denormalize(mixed $data, string $type, string $format = null, ar`
`321`	`323`	`if ($this->nameConverter) {`
`322`	`324`	`$notConverted = $attribute;`
`323`	`325`	`$attribute = $this->nameConverter->denormalize($attribute, $resolvedClass, $format, $context);`
`324`		`- if (isset($nestedData[$notConverted]) && !isset($nestedData[$attribute])) {`
	`326`	`+ if (isset($nestedData[$notConverted]) && !isset($originalNestedData[$attribute])) {`
`325`	`327`	`throw new LogicException(sprintf('Duplicate values for key "%s" found. One value is set via the SerializedPath annotation: "%s", the other one is set via the SerializedName annotation: "%s".', $notConverted, implode('->', $nestedAttributes[$notConverted]->getElements()), $attribute));`
`326`	`328`	`}`
`327`	`329`	`}`