10000 bug #47488 [Security] Fix valid remember-me token exposure to the sec… · symfony/symfony@64be67e · GitHub
[go: up one dir, main page]
Skip to content

Commit 64be67e

Browse files
nicolas-grekasnicolas-grekas
committed
bug #47488 [Security] Fix valid remember-me token exposure to the second consequent request (Ivan Kurnosov)
This PR was merged into the 5.4 branch. Discussion ---------- [Security] Fix valid remember-me token exposure to the second consequent request Close #42343 Fix #46760 | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #42343, Fix #46760 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> #46760 PR together with a fix produces a security vulnerability when a malicious actor may get a **new and valid** remember me token if makes a request right after the legit user. Commits ------- 62ceded Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request
2 parents 1af379a + 62ceded commit 64be67e

File tree

2 files changed

+3
-15
lines changed

2 files changed

+3
-15
lines changed

src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,6 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
7575

7676
if ($this->tokenVerifier) {
7777
$isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
78-
$tokenValue = $persistentToken->getTokenValue();
7978
} else {
8079
$isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);
8180
}
@@ -96,9 +95,9 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
9695
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
9796
}
9897
$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
99-
}
10098

101-
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
99+
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
100+
}
102101
}
103102

104103
/**

src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -125,18 +125,7 @@ public function testConsumeRememberMeCookieValidByValidatorWithoutUpdate()
125125
$rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:oldTokenValue');
126126
$handler->consumeRememberMeCookie($rememberMeDetails);
127127

128-
// assert that the cookie has been updated with a new base64 encoded token value
129-
$this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
130-
131-
/** @var Cookie $cookie */
132-
$cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
133-
134-
$cookieParts = explode(':', base64_decode($cookie->getValue()), 4);
135-
136-
$this->assertSame(InMemoryUser::class, $cookieParts[0]); // class
137-
$this->assertSame(base64_encode('wouter'), $cookieParts[1]); // identifier
138-
$this->assertSame('360', $cookieParts[2]); // expire
139-
$this->assertSame('series1:tokenvalue', $cookieParts[3]); // value
128+
$this->assertFalse($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
140129
}
141130

142131
public function testConsumeRememberMeCookieInvalidToken()

0 commit comments

Comments
 (0)
0