diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2015-11-23 11:34:41 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2015-11-23 11:34:41 +0100 |
| commit | 31c5b697c06a1f254ec337c1921b9f6b25b8f32f (patch) | |
| tree | 81e2b2874e38c82011088123feb623549e91be84 /Http/Firewall | |
| parent | 4e473f4aa100d293f68dae683464f23407b0058e (diff) | |
| parent | 4cbe9221d4fa99fba7aa4b21254a228758cb710d (diff) | |
| download | symfony-security-31c5b697c06a1f254ec337c1921b9f6b25b8f32f.zip symfony-security-31c5b697c06a1f254ec337c1921b9f6b25b8f32f.tar.gz symfony-security-31c5b697c06a1f254ec337c1921b9f6b25b8f32f.tar.bz2 | |
Merge branch '2.7' into 2.8
* 2.7:
fixed tests
migrate session after remember me authentication
prevent timing attacks in digest auth listener
mitigate CSRF timing attack vulnerability
fix potential timing attack issue
Diffstat (limited to 'Http/Firewall')
| -rw-r--r-- | Http/Firewall/DigestAuthenticationListener.php | 3 | ||||
| -rw-r--r-- | Http/Firewall/RememberMeListener.php | 5 |
2 files changed, 5 insertions, 3 deletions
diff --git a/Http/Firewall/DigestAuthenticationListener.php b/Http/Firewall/DigestAuthenticationListener.php index 15b71ef..f2048fd 100644 --- a/Http/Firewall/DigestAuthenticationListener.php +++ b/Http/Firewall/DigestAuthenticationListener.php @@ -12,6 +12,7 @@ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\Security\Core\User\UserProviderInterface; +use Symfony\Component\Security\Core\Util\StringUtils; use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint; use Psr\Log\LoggerInterface; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -99,7 +100,7 @@ class DigestAuthenticationListener implements ListenerInterface return; } - if ($serverDigestMd5 !== $digestAuth->getResponse()) { + if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) { if (null !== $this->logger) { $this->logger->debug('Unexpected response from the DigestAuth received; is the header returning a clear text passwords?', array('expected' => $serverDigestMd5, 'received' => $digestAuth->getResponse())); } diff --git a/Http/Firewall/RememberMeListener.php b/Http/Firewall/RememberMeListener.php index ccadf94..4186430 100644 --- a/Http/Firewall/RememberMeListener.php +++ b/Http/Firewall/RememberMeListener.php @@ -21,6 +21,7 @@ use Symfony\Component\Security\Http\Event\InteractiveLoginEvent; use Symfony\Component\Security\Http\SecurityEvents; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface; +use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy; /** * RememberMeListener implements authentication capabilities via a cookie. @@ -56,7 +57,7 @@ class RememberMeListener implements ListenerInterface $this->logger = $logger; $this->dispatcher = $dispatcher; $this->catchExceptions = $catchExceptions; - $this->sessionStrategy = $sessionStrategy; + $this->sessionStrategy = null === $sessionStrategy ? new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE) : $sessionStrategy; } /** @@ -77,7 +78,7 @@ class RememberMeListener implements ListenerInterface try { $token = $this->authenticationManager->authenticate($token); - if (null !== $this->sessionStrategy && $request->hasSession() && $request->getSession()->isStarted()) { + if ($request->hasSession() && $request->getSession()->isStarted()) { $this->sessionStrategy->onAuthentication($request, $token); } $this->tokenStorage->setToken($token); |