Merge branch '2.3' into 2.7v2.7.7

* 2.3: migrate session after remember me authentication prevent timing attacks in digest auth listener mitigate CSRF timing attack vulnerability fix potential timing attack issue
author: Fabien Potencier <fabien.potencier@gmail.com> 2015-11-23 11:34:14 +0100
committer: Fabien Potencier <fabien.potencier@gmail.com> 2015-11-23 11:34:14 +0100
commit: 4cbe9221d4fa99fba7aa4b21254a228758cb710d (patch)
tree: cfa8b51607a798afa64cfacfac97992be41dab09 /Http/RememberMe/PersistentTokenBasedRememberMeServices.php
parent: 7260a65641af0c1896d3fe431cee16efe956fcbe (diff)
parent: 1500a2ceb20b1bcf908f07ee2104225b3e35ee65 (diff)
download: symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.zip
symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.tar.gz
symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.tar.bz2
1 files changed, 2 insertions, 1 deletions
diff --git a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
index 4fb7e09..5f131cf 100644
--- a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
+++ b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
@@ -21,6 +21,7 @@ use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Util\SecureRandomInterface;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Util\StringUtils;
 
 /**
  * Concrete implementation of the RememberMeServicesInterface which needs
@@ -90,7 +91,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
         list($series, $tokenValue) = $cookieParts;
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
-        if ($persistentToken->getTokenValue() !== $tokenValue) {
+        if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }
author	Fabien Potencier <fabien.potencier@gmail.com>	2015-11-23 11:34:14 +0100
committer	Fabien Potencier <fabien.potencier@gmail.com>	2015-11-23 11:34:14 +0100
commit	4cbe9221d4fa99fba7aa4b21254a228758cb710d (patch)
tree	cfa8b51607a798afa64cfacfac97992be41dab09 /Http/RememberMe/PersistentTokenBasedRememberMeServices.php
parent	7260a65641af0c1896d3fe431cee16efe956fcbe (diff)
parent	1500a2ceb20b1bcf908f07ee2104225b3e35ee65 (diff)
download	symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.zip symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.tar.gz symfony-security-4cbe9221d4fa99fba7aa4b21254a228758cb710d.tar.bz2