Add event listener to check that the kernel.secret parameter isn't set to the default #6480
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private $logger; | ||
| private $secret; | ||
|
|
||
| public function __construct(LoggerInterface $logger = null, $secret) |
There was a problem hiding this comment.
$logger can't be null. because you will have error on $this->logger->alert
There was a problem hiding this comment.
Well, the logic should be fixed. The logger is optional everywhere in Symfony.
|
Closing in favor of #6598 |
fabpot
added a commit
that referenced
this pull request
Jan 7, 2013
This PR was merged into the master branch. Commits ------- f5290b9 [FrameworkBundle] Force users to set "kernel.secret" to something different than default "ThisTokenIsNotSoSecretChangeIt" Discussion ---------- [RFC][BC][FrameworkBundle] Force users to set "kernel.secret" to something unique Bug fix: kinda* Feature addition: no BC break: yes Symfony2 tests pass: yes Fixes the following tickets: #6480 License of the code: MIT This PR is to show different approach for "fix" suggested in #6480, as IMO there is no real point for "yet another listener" =) This PR also introduces BC break for all users that used default value for `kernel.secret`, but IMO it's worth it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After reading #6463, I think it's becoming increasingly important that
kernel.secretis absolutely set to something secure.I have seen (and also been guilty of for quick builds) projects that don't bother changing the secret. This PR adds a warning to the logger when this is detected.
Perhaps a compiler pass could be used to unsubscribe from the event once the issue has been resolved.
Note: threw this together in a few mins... might not comply with conventions