diff options
Diffstat (limited to 'Http')
| -rw-r--r-- | Http/README.md | 2 | ||||
| -rw-r--r-- | Http/RememberMe/TokenBasedRememberMeServices.php | 28 | ||||
| -rw-r--r-- | Http/Tests/Firewall/SwitchUserListenerTest.php | 8 | ||||
| -rw-r--r-- | Http/composer.json | 2 |
4 files changed, 8 insertions, 32 deletions
diff --git a/Http/README.md b/Http/README.md index 187f2b4..c0760d4 100644 --- a/Http/README.md +++ b/Http/README.md @@ -11,7 +11,7 @@ Resources Documentation: -http://symfony.com/doc/2.4/book/security.html +http://symfony.com/doc/2.5/book/security.html Tests ----- diff --git a/Http/RememberMe/TokenBasedRememberMeServices.php b/Http/RememberMe/TokenBasedRememberMeServices.php index 571abbe..6fd6bc4 100644 --- a/Http/RememberMe/TokenBasedRememberMeServices.php +++ b/Http/RememberMe/TokenBasedRememberMeServices.php @@ -17,6 +17,7 @@ use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\User\UserInterface; +use Symfony\Component\Security\Core\Util\StringUtils; /** * Concrete implementation of the RememberMeServicesInterface providing @@ -53,7 +54,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user))); } - if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) { + if (true !== StringUtils::equals($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) { throw new AuthenticationException('The cookie\'s hash is invalid.'); } @@ -65,31 +66,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices } /** - * Compares two hashes using a constant-time algorithm to avoid (remote) - * timing attacks. - * - * This is the same implementation as used in the BasePasswordEncoder. - * - * @param string $hash1 The first hash - * @param string $hash2 The second hash - * - * @return Boolean true if the two hashes are the same, false otherwise - */ - private function compareHashes($hash1, $hash2) - { - if (strlen($hash1) !== $c = strlen($hash2)) { - return false; - } - - $result = 0; - for ($i = 0; $i < $c; $i++) { - $result |= ord($hash1[$i]) ^ ord($hash2[$i]); - } - - return 0 === $result; - } - - /** * {@inheritDoc} */ protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) diff --git a/Http/Tests/Firewall/SwitchUserListenerTest.php b/Http/Tests/Firewall/SwitchUserListenerTest.php index f331f0e..110e05c 100644 --- a/Http/Tests/Firewall/SwitchUserListenerTest.php +++ b/Http/Tests/Firewall/SwitchUserListenerTest.php @@ -87,7 +87,7 @@ class SwitchUserListenerTest extends \PHPUnit_Framework_TestCase $this->request->expects($this->any())->method('get')->with('_switch_user')->will($this->returnValue('_exit')); $this->request->expects($this->any())->method('getUri')->will($this->returnValue('/')); - $this->request->query->expects($this->once())->method('remove','_switch_user'); + $this->request->query->expects($this->once())->method('remove', '_switch_user'); $this->request->query->expects($this->any())->method('all')->will($this->returnValue(array())); $this->request->server->expects($this->once())->method('set')->with('QUERY_STRING', ''); @@ -103,7 +103,7 @@ class SwitchUserListenerTest extends \PHPUnit_Framework_TestCase /** * @expectedException \Symfony\Component\Security\Core\Exception\AccessDeniedException */ - public function testSwitchUserIsDissallowed() + public function testSwitchUserIsDisallowed() { $token = $this->getToken(array($this->getMock('Symfony\Component\Security\Core\Role\RoleInterface'))); @@ -126,7 +126,7 @@ class SwitchUserListenerTest extends \PHPUnit_Framework_TestCase $this->securityContext->expects($this->any())->method('getToken')->will($this->returnValue($token)); $this->request->expects($this->any())->method('get')->with('_switch_user')->will($this->returnValue('kuba')); - $this->request->query->expects($this->once())->method('remove','_switch_user'); + $this->request->query->expects($this->once())->method('remove', '_switch_user'); $this->request->query->expects($this->any())->method('all')->will($this->returnValue(array())); $this->request->expects($this->any())->method('getUri')->will($this->returnValue('/')); @@ -156,7 +156,7 @@ class SwitchUserListenerTest extends \PHPUnit_Framework_TestCase $this->securityContext->expects($this->any())->method('getToken')->will($this->returnValue($token)); $this->request->expects($this->any())->method('get')->with('_switch_user')->will($this->returnValue('kuba')); - $this->request->query->expects($this->once())->method('remove','_switch_user'); + $this->request->query->expects($this->once())->method('remove', '_switch_user'); $this->request->query->expects($this->any())->method('all')->will($this->returnValue(array('page'=>3,'section'=>2))); $this->request->expects($this->any())->method('getUri')->will($this->returnValue('/')); $this->request->server->expects($this->once())->method('set')->with('QUERY_STRING', 'page=3§ion=2'); diff --git a/Http/composer.json b/Http/composer.json index 716c443..c544ad1 100644 --- a/Http/composer.json +++ b/Http/composer.json @@ -38,7 +38,7 @@ "minimum-stability": "dev", "extra": { "branch-alias": { - "dev-master": "2.4-dev" + "dev-master": "2.5-dev" } } } |