bug #14678 [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts (MacDada)

fabpot · fabpot · commit 07a75922485d · 2015-05-21T06:28:27.000+02:00
This PR was squashed before being merged into the 2.3 branch (closes #14678).

Discussion
----------

[Security] AbstractRememberMeServices::encodeCookie() validates cookie parts

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #14577
| License       | MIT
| Doc PR        | no

`AbstractRememberMeServices::encodeCookie()` guards against `COOKIE_DELIMITER` in `$cookieParts`.

* it would make `AbstractRememberMeServices::cookieDecode()` broken
* all current extending classes do it anyway (see #14670 )
* added tests – it's not a public method, but it is expected to be used by user implementations – as such, it's good to know that it works properly

Commits
-------

464c39a [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts
diff --git a/RememberMe/AbstractRememberMeServices.php b/RememberMe/AbstractRememberMeServices.php
@@ -268,9 +268,17 @@ protected function decodeCookie($rawCookie)
      * @param array $cookieParts
      *
      * @return string
+     *
+     * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.
      */
     protected function encodeCookie(array $cookieParts)
     {
+        foreach ($cookieParts as $cookiePart) {
+            if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) {
+                throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s"', self::COOKIE_DELIMITER));
+            }
+        }
+
         return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts));
     }
 
diff --git a/RememberMe/TokenBasedRememberMeServices.php b/RememberMe/TokenBasedRememberMeServices.php
@@ -119,8 +119,6 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
      * @param int    $expires  The Unix timestamp when the cookie expires
      * @param string $password The encoded password
      *
-     * @throws \RuntimeException if username contains invalid chars
-     *
      * @return string
      */
     protected function generateCookieValue($class, $username, $expires, $password)
@@ -141,8 +139,6 @@ protected function generateCookieValue($class, $username, $expires, $password)
      * @param int    $expires  The Unix timestamp when the cookie expires
      * @param string $password The encoded password
      *
-     * @throws \RuntimeException when the private key is empty
-     *
      * @return string
      */
     protected function generateCookieHash($class, $username, $expires, $password)

Original file line number	Diff line number	Diff line change
`@@ -268,9 +268,17 @@ protected function decodeCookie($rawCookie)`
`268`	`268`	`* @param array $cookieParts`
`269`	`269`	`*`
`270`	`270`	`* @return string`
	`271`	`+ *`
	`272`	`+ * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.`
`271`	`273`	`*/`
`272`	`274`	`protected function encodeCookie(array $cookieParts)`
`273`	`275`	`{`
	`276`	`+ foreach ($cookieParts as $cookiePart) {`
	`277`	`+ if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) {`
	`278`	`+ throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s"', self::COOKIE_DELIMITER));`
	`279`	`+ }`
	`280`	`+ }`
	`281`	`+`
`274`	`282`	`return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts));`
`275`	`283`	`}`
`276`	`284`