[Security] Cannot use env in RememberMe config #36271
Comments
|
Which version were you upgrading from? Can you provide a small reproducing app that worked before and doesn't anymore please? That'd help ppl that want to debug this (could be you btw, up to?) |
I was upgrading from 3.4.38.
OK I can try. |
|
Here is the repo https://github.com/zek/symfony-bug I didn't complete rest of the reproduction.
|
|
What I'm trying to do is
|
|
Hmm, so I'm guessing this is what happends:
So we either make Config aware of environment variables (that's probably a huge feature) or we revert the @HeahDude am I mislooking something, or would reverting these 2 lines not result in much harm? (only a little less strict config processor) |
|
Yes we should revert. Also as @wouterj explained the Config component does not know about env processors... It means that any node, excepted for |
|
@zek as you were the one reporting and discovering the lines that broke this, are you maybe up for a PR to revert the change on the 3.4 branch? That would give you all credits you deserve :)
Yes, this is also what I was thinking about. I think it might be possible to "solve" it a little bit if Config would recognize that it is an env string and discover the env processor. There are env processors for each type. E.g. if something is This would make the Config component aware of the fullstack framework though. I'm not sure how to fix that, but this could be a way of solving it for all config nodes. |
|
4.4 is already able to know about these, but not 3.4 indeed. |
|
Oh, so in that case, the revert should only happen in 3.4? |
|
I suppose yes, can anyone confirm on 4.4? |
|
I can confirm that I no longer have this error when I update the reproducer to Symfony 4.4 (thanks for providing a reproducer, that makes it very easy to confirm/test!) |
Ok. I'll send a PR today. Thank you all @wouterj @HeahDude @nicolas-grekas 👍 |
|
friendly ping @zek |
…figurations (zek) This PR was merged into the 3.4 branch. Discussion ---------- [SecurityBundle] fix accepting env vars in remember-me configurations | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36271 | License | MIT | Doc PR | - As @wouterj explained we cannot use env variables after #35910 merged. > Hmm, so I'm guessing this is what happens: > > * `lifetime` is now an `integerNode()` > * For the Config component (which IIRC doesn't know anything about env variables), you're passing a string: `"%env(int:REMEMBER_ME_COOKIE_LIFETIME)%"` > * This throws an error, although if it wouldn't, the DI component would sucessfully process the string into a integer before it's used by any PHP class. > > So we either make Config aware of environment variables (that's probably a huge feature) or we revert the `integerNode()` changes (as you suggested). > > @HeahDude am I mislooking something, or would reverting these 2 lines not result in much harm? (only a little less strict config processor) Commits ------- 46c2783 [SecurityBundle] fix accepting env vars in remember-me configurations
|
I can see this was fixed for 3.4, but it exists on 4.4+. How come it's not a problem on newer versions? Because we have exactly the same problem on Symfony 4.4 (mautic/mautic#9011) |
|
Please don't comment on closed issues/PRs, you might get no follow up. |
Symfony version(s) affected: 3.4.39
Description
This is working until today's 3.4.39 update. using
envinsecurity.yamlcauses this error.How to reproduce
inside of security.yaml
Possible Solution
Remove these lines
https://github.com/symfony/symfony/pull/35910/files#diff-63961cbd5c56cdeb2e94e6024d58327fR148-R149
Additional context
The text was updated successfully, but these errors were encountered: