From 409897b68e308a88be67031d88846afaa8545d58 Mon Sep 17 00:00:00 2001
From: Ivan Kurnosov <ivan@wialus.co.nz>
Date: Thu, 24 Mar 2022 14:01:56 +1300
Subject: [PATCH] bug #42637 [Security] Fixed TOCTOU in RememberMe cache token
 verifier

---
 .../Core/Authentication/RememberMe/CacheTokenVerifier.php     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php
index dabc719055fcf..340bc87c2e32e 100644
--- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php
+++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php
@@ -45,11 +45,11 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
         }
 
         $cacheKey = $this->getCacheKey($token);
-        if (!$this->cache->hasItem($cacheKey)) {
+        $item = $this->cache->getItem($cacheKey);
+        if (!$item->isHit()) {
             return false;
         }
 
-        $item = $this->cache->getItem($cacheKey);
         $outdatedToken = $item->get();
 
         return hash_equals($outdatedToken, $tokenValue);