Merge branch '2.8'

* 2.8:
  removed usage of the deprecated StringUtils::equals() method
  Fix: Resolve tempdir symlink, not working on OSX
  fixed tests
  migrate session after remember me authentication
  prevent timing attacks in digest auth listener
  mitigate CSRF timing attack vulnerability
  fix potential timing attack issue
  [WebProfilerBundle] Added a top left border radius to the minified to…
  [Routing] Changing RouteCollectionBuilder::import() behavior to add to the builder
  [HttpKernel] Don't reset on shutdown but in FrameworkBundle/Test/KernelTestCase
  [Process] PhpExecutableFinder: add regression test

Author: fabpot

Firewall/DigestAuthenticationListener.php

@@ -99,7 +99,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        if ($serverDigestMd5 !== $digestAuth->getResponse()) {
+        if (!hash_equals($serverDigestMd5, $digestAuth->getResponse())) {
             if (null !== $this->logger) {
                 $this->logger->debug('Unexpected response from the DigestAuth received; is the header returning a clear text passwords?', array('expected' => $serverDigestMd5, 'received' => $digestAuth->getResponse()));
             }

Firewall/RememberMeListener.php

@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Http\SecurityEvents;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 /**
  * RememberMeListener implements authentication capabilities via a cookie.
@@ -56,7 +57,7 @@ public function __construct(TokenStorageInterface $tokenStorage, RememberMeServi
         $this->logger = $logger;
         $this->dispatcher = $dispatcher;
         $this->catchExceptions = $catchExceptions;
-        $this->sessionStrategy = $sessionStrategy;
+        $this->sessionStrategy = null === $sessionStrategy ? new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE) : $sessionStrategy;
     }
 
     /**
@@ -77,7 +78,7 @@ public function handle(GetResponseEvent $event)
 
         try {
             $token = $this->authenticationManager->authenticate($token);
-            if (null !== $this->sessionStrategy && $request->hasSession() && $request->getSession()->isStarted()) {
+            if ($request->hasSession() && $request->getSession()->isStarted()) {
                 $this->sessionStrategy->onAuthentication($request, $token);
             }
             $this->tokenStorage->setToken($token);

RememberMe/PersistentTokenBasedRememberMeServices.php

@@ -71,7 +71,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
         list($series, $tokenValue) = $cookieParts;
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
-        if ($persistentToken->getTokenValue() !== $tokenValue) {
+        if (!hash_equals($persistentToken->getTokenValue(), $tokenValue)) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }
 

Tests/Firewall/RememberMeListenerTest.php

@@ -246,6 +246,69 @@ public function testSessionStrategy()
         $listener->handle($event);
     }
 
+    public function testSessionIsMigratedByDefault()
+    {
+        list($listener, $tokenStorage, $service, $manager, , $dispatcher, $sessionStrategy) = $this->getListener(false, true, false);
+
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->will($this->returnValue(null))
+        ;
+
+        $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
+        $service
+            ->expects($this->once())
+            ->method('autoLogin')
+            ->will($this->returnValue($token))
+        ;
+
+        $tokenStorage
+            ->expects($this->once())
+            ->method('setToken')
+            ->with($this->equalTo($token))
+        ;
+
+        $manager
+            ->expects($this->once())
+            ->method('authenticate')
+            ->will($this->returnValue($token))
+        ;
+
+        $session = $this->getMock('\Symfony\Component\HttpFoundation\Session\SessionInterface');
+        $session
+            ->expects($this->once())
+            ->method('isStarted')
+            ->will($this->returnValue(true))
+        ;
+        $session
+            ->expects($this->once())
+            ->method('migrate')
+        ;
+
+        $request = $this->getMock('\Symfony\Component\HttpFoundation\Request');
+        $request
+            ->expects($this->any())
+            ->method('hasSession')
+            ->will($this->returnValue(true))
+        ;
+
+        $request
+            ->expects($this->any())
+            ->method('getSession')
+            ->will($this->returnValue($session))
+        ;
+
+        $event = $this->getGetResponseEvent();
+        $event
+            ->expects($this->once())
+            ->method('getRequest')
+            ->will($this->returnValue($request))
+        ;
+
+        $listener->handle($event);
+    }
+
     public function testOnCoreSecurityInteractiveLoginEventIsDispatchedIfDispatcherIsPresent()
     {
         list($listener, $tokenStorage, $service, $manager, , $dispatcher) = $this->getListener(true);