security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)

nicolas-grekas · nicolas-grekas · commit 0a4ed67b0dcc · 2019-04-16T10:58:07.000+02:00
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Add a separator in the remember me cookie hash Based on #89 Commits ------- a29ce28 [Security] Add a separator in the remember me cookie hash
diff --git a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
@@ -120,6 +120,6 @@ protected function generateCookieValue($class, $username, $expires, $password)
      */
     protected function generateCookieHash($class, $username, $expires, $password)
     {
-        return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret());
+        return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,6 @@ protected function generateCookieValue($class, $username, $expires, $password)`
`120`	`120`	`*/`
`121`	`121`	`protected function generateCookieHash($class, $username, $expires, $password)`
`122`	`122`	`{`
`123`		`- return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret());`
	`123`	`+ return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());`
`124`	`124`	`}`
`125`	`125`	`}`