diff options
| author | Dawid Nowak <code@dnowak.pl> | 2015-05-17 22:37:53 +0200 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2015-05-21 06:28:25 +0200 |
| commit | 51f245f2684a0a819dcaff815f401494e63a582d (patch) | |
| tree | 44be4a9754998b26b001e481e45b214a45d49fd1 /Http/RememberMe | |
| parent | c7a417a9e3a9712ddd2f8650193232fcf370e3c8 (diff) | |
| download | symfony-security-51f245f2684a0a819dcaff815f401494e63a582d.zip symfony-security-51f245f2684a0a819dcaff815f401494e63a582d.tar.gz symfony-security-51f245f2684a0a819dcaff815f401494e63a582d.tar.bz2 | |
[Security] AbstractRememberMeServices::encodeCookie() validates cookie parts
Diffstat (limited to 'Http/RememberMe')
| -rw-r--r-- | Http/RememberMe/AbstractRememberMeServices.php | 8 | ||||
| -rw-r--r-- | Http/RememberMe/TokenBasedRememberMeServices.php | 4 |
2 files changed, 8 insertions, 4 deletions
diff --git a/Http/RememberMe/AbstractRememberMeServices.php b/Http/RememberMe/AbstractRememberMeServices.php index b14e36d..16f7831 100644 --- a/Http/RememberMe/AbstractRememberMeServices.php +++ b/Http/RememberMe/AbstractRememberMeServices.php @@ -268,9 +268,17 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface * @param array $cookieParts * * @return string + * + * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it. */ protected function encodeCookie(array $cookieParts) { + foreach ($cookieParts as $cookiePart) { + if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) { + throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s"', self::COOKIE_DELIMITER)); + } + } + return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts)); } diff --git a/Http/RememberMe/TokenBasedRememberMeServices.php b/Http/RememberMe/TokenBasedRememberMeServices.php index 3d2cf12..a129b1d 100644 --- a/Http/RememberMe/TokenBasedRememberMeServices.php +++ b/Http/RememberMe/TokenBasedRememberMeServices.php @@ -119,8 +119,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices * @param int $expires The Unix timestamp when the cookie expires * @param string $password The encoded password * - * @throws \RuntimeException if username contains invalid chars - * * @return string */ protected function generateCookieValue($class, $username, $expires, $password) @@ -141,8 +139,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices * @param int $expires The Unix timestamp when the cookie expires * @param string $password The encoded password * - * @throws \RuntimeException when the private key is empty - * * @return string */ protected function generateCookieHash($class, $username, $expires, $password) |