bug #50582 [Security/Http] Fix false-string handling in RememberMeAuthenticator (ossinkine)

nicolas-grekas · nicolas-grekas · commit 17f4fe4f2b4f · 2023-07-07T08:45:04.000+02:00
This PR was merged into the 5.4 branch. Discussion ---------- [Security/Http] Fix false-string handling in `RememberMeAuthenticator` | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #...  | License | MIT | Doc PR | symfony/symfony-docs#...  I found some errors "No remember-me cookie is found." in my logs. I didn't find another way to reproduce it other than set "false-string" to the cookie value, for example `0`. This PR fixes this. Commits ------- 87c2bc2 [Security] Fix false-string handling in RememberMeAuthenticator
diff --git a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
@@ -70,7 +70,7 @@ public function supports(Request $request): ?bool
             return false;
         }
 
-        if (!$request->cookies->has($this->cookieName)) {
+        if (!$request->cookies->has($this->cookieName) || !\is_scalar($request->cookies->all()[$this->cookieName] ?: null)) {
             return false;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -61,6 +61,9 @@ public static function provideSupportsData()
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => 'rememberme']);
         $request->attributes->set(ResponseListener::COOKIE_ATTR_NAME, new Cookie('_remember_me_cookie', null));
         yield [$request, false];
+
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => '0']);
+        yield [$request, false];
     }
 
     public function testAuthenticate()

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function supports(Request $request): ?bool`
`70`	`70`	`return false;`
`71`	`71`	`}`
`72`	`72`
`73`		`- if (!$request->cookies->has($this->cookieName)) {`
	`73`	`+ if (!$request->cookies->has($this->cookieName) \|\| !\is_scalar($request->cookies->all()[$this->cookieName] ?: null)) {`
`74`	`74`	`return false;`
`75`	`75`	`}`
`76`	`76`
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,9 @@ public static function provideSupportsData()`
`61`	`61`	`$request = Request::create('/', 'GET', [], ['_remember_me_cookie' => 'rememberme']);`
`62`	`62`	`$request->attributes->set(ResponseListener::COOKIE_ATTR_NAME, new Cookie('_remember_me_cookie', null));`
`63`	`63`	`yield [$request, false];`
	`64`	`+`
	`65`	`+ $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => '0']);`
	`66`	`+ yield [$request, false];`
`64`	`67`	`}`
`65`	`68`
`66`	`69`	`public function testAuthenticate()`