Skip to content

[Security] Fix valid remember-me token exposure to the second consequent request #47488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 8, 2022
Merged

[Security] Fix valid remember-me token exposure to the second consequent request #47488

merged 1 commit into from
Sep 8, 2022

Conversation

zerkms
Copy link
Contributor

@zerkms zerkms commented Sep 4, 2022
edited
Loading

Close #42343
Fix #46760

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #42343, Fix #46760
License MIT
Doc PR symfony/symfony-docs#...

#46760 PR together with a fix produces a security vulnerability when a malicious actor may get a new and valid remember me token if makes a request right after the legit user.

@carsonbot carsonbot added this to the 6.2 milestone Sep 4, 2022
@carsonbot carsonbot changed the title Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request [Security] Bug #42343 Fix valid remember-me token exposure to the second consequent request Sep 4, 2022
@zerkms zerkms mentioned this pull request Sep 4, 2022
Merged
@nicolas-grekas nicolas-grekas changed the title [Security] Bug #42343 Fix valid remember-me token exposure to the second consequent request [Security] Fix valid remember-me token exposure to the second consequent request Sep 5, 2022
@nicolas-grekas nicolas-grekas changed the base branch from 6.2 to 5.4 September 5, 2022 15:55
@nicolas-grekas nicolas-grekas modified the milestones: 6.2, 5.4 Sep 5, 2022
nicolas-grekas
nicolas-grekas approved these changes Sep 5, 2022
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change looks correct to me.

2 requests come by at the same time with tokenA:

  • the one that wins the race persists and sends back tokenB
  • the other one accepts tokenA but doesn't send any cookie back, aka tokenB from req 1 stays in the cookie jar.

Unless I missed something, this still fixes the situation that @heiglandreas describes in #46760 while preventing a needless disclosure of the currently valid token to the 2nd request.

/cc @Seldaek in case you want to have a look.

I'm just worried that although this causes a possible security threat, the security disclosure process hasn't been followed appropriately. Please be more careful in the future.

@zerkms zerkms force-pushed the 42343-remember-me-cookie-2nd-request branch from 7e9f27c to 62ceded Compare September 5, 2022 21:24
@nicolas-grekas
Copy link
Member

Thank you @zerkms.

@nicolas-grekas nicolas-grekas merged commit 64be67e into symfony:5.4 Sep 8, 2022
This was referenced Sep 30, 2022
Merged
Merged
Merged
@heiglandreas
Copy link
Contributor

Throughout the last days I debugged some odd occurrences and was able to track them down to this PR.

I will create a new issue for that so that we can track that accordingly.

@heiglandreas heiglandreas mentioned this pull request Mar 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@wouterj wouterj Awaiting requested review from wouterj

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.

PersistentRememberMeHandler - race condition in returned cookies
4 participants
@zerkms @nicolas-grekas @heiglandreas @carsonbot