Merge branch '5.4' into 6.0

* 5.4:
  Use single quote to escape formulas
  [SecurityBundle] Default signature_properties to the previous behavior
  Fix missing extra trusted header in sub-request

Author: nicolas-grekas

DependencyInjection/Security/Factory/RememberMeFactory.php

@@ -154,6 +154,7 @@ public function addConfiguration(NodeDefinition $node)
                 ->requiresAtLeastOneElement()
                 ->info('An array of properties on your User that are used to sign the remember-me cookie. If any of these change, all existing cookies will become invalid.')
                 ->example(['email', 'password'])
+                ->defaultValue(['password'])
             ->end()
             ->arrayNode('token_provider')
                 ->beforeNormalization()

Tests/Functional/Bundle/RememberMeBundle/Security/UserChangingUserProvider.php

@@ -21,33 +21,40 @@ class UserChangingUserProvider implements UserProviderInterface
 {
     private $inner;
 
+    public static $changePassword = false;
+
     public function __construct(InMemoryUserProvider $inner)
     {
         $this->inner = $inner;
     }
 
     public function loadUserByUsername($username): UserInterface
     {
-        return $this->inner->loadUserByUsername($username);
+        return $this->changeUser($this->inner->loadUserByUsername($username));
     }
 
     public function loadUserByIdentifier(string $userIdentifier): UserInterface
     {
-        return $this->inner->loadUserByIdentifier($userIdentifier);
+        return $this->changeUser($this->inner->loadUserByIdentifier($userIdentifier));
     }
 
     public function refreshUser(UserInterface $user): UserInterface
     {
-        $user = $this->inner->refreshUser($user);
-
-        $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'foo'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);
-        $alterUser($user);
-
-        return $user;
+        return $this->changeUser($this->inner->refreshUser($user));
     }
 
     public function supportsClass($class): bool
     {
         return $this->inner->supportsClass($class);
     }
+
+    private function changeUser(UserInterface $user): UserInterface
+    {
+        if (self::$changePassword) {
+            $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'changed!'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);
+            $alterUser($user);
+        }
+
+        return $user;
+    }
 }

Tests/Functional/RememberMeTest.php

@@ -11,8 +11,15 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\RememberMeBundle\Security\UserChangingUserProvider;
+
 class RememberMeTest extends AbstractWebTestCase
 {
+    protected function setUp(): void
+    {
+        UserChangingUserProvider::$changePassword = false;
+    }
+
     /**
      * @dataProvider provideConfigs
      */
@@ -51,11 +58,19 @@ public function testUserChangeClearsCookie()
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $cookieJar = $client->getCookieJar();
-        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+        $this->assertNotNull($cookie = $cookieJar->get('REMEMBERME'));
 
+        UserChangingUserProvider::$changePassword = true;
+
+        // change password (through user provider), this deauthenticates the session
         $client->request('GET', '/profile');
         $this->assertRedirect($client->getResponse(), '/login');
         $this->assertNull($cookieJar->get('REMEMBERME'));
+
+        // restore the old remember me cookie, it should no longer be valid
+        $cookieJar->set($cookie);
+        $client->request('GET', '/profile');
+        $this->assertRedirect($client->getResponse(), '/login');
     }
 
     public function testSessionLessRememberMeLogout()