Merge branch '7.0' into 7.1

* 7.0: (39 commits)
  fix merge
  add missing return type-hints
  fix merge
  explicitly mark nullable parameters as nullable
  fix low deps tests
  [HttpKernel] Fix datacollector caster for reference object property
  [Serializer] Fixing PHP warning in the ObjectNormalizer with MaxDepth enabled
  bug #51578 [Cache] always select database for persistent redis connections
  [Security] Validate that CSRF token in form login is string similar to username/password
  [Serializer] Use explicit nullable type
  [validator] validated Dutch translation
  Improve dutch translations
  initialize the current time with midnight before modifying the date
  [Translation] Skip state=needs-translation entries only when source == target
  [HttpKernel] Ensure controllers are not lazy
  [Validator] Fill in trans-unit id 113: This URL does not contain a TLD.
  [Validator] added missing Polish translation for unit 113
  [Validator] add missing lv translation
  fix tests
  [HttpClient] Let curl handle transfer encoding
  ...

Author: xabbuh

Authenticator/FormLoginAuthenticator.php

@@ -143,6 +143,10 @@ private function getCredentials(Request $request): array
             throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter']));
         }
 
+        if (!\is_string($credentials['csrf_token'] ?? '') && (!\is_object($credentials['csrf_token']) || !method_exists($credentials['csrf_token'], '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['csrf_parameter'], \gettype($credentials['csrf_token'])));
+        }
+
         return $credentials;
     }
 

Tests/Authenticator/FormLoginAuthenticatorTest.php

@@ -193,6 +193,54 @@ public function __toString()
         $this->assertSame('s$cr$t', $credentialsBadge->getPassword());
     }
 
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringCsrfTokenWithArray($postOnly)
+    {
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', 'password' => 'bar', '_csrf_token' => []]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_csrf_token" must be a string, "array" given.');
+
+        $this->authenticator->authenticate($request);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringCsrfTokenWithInt($postOnly)
+    {
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', 'password' => 'bar', '_csrf_token' => 42]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_csrf_token" must be a string, "integer" given.');
+
+        $this->authenticator->authenticate($request);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringCsrfTokenWithObject($postOnly)
+    {
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', 'password' => 'bar', '_csrf_token' => new \stdClass()]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_csrf_token" must be a string, "object" given.');
+
+        $this->authenticator->authenticate($request);
+    }
+
     public static function postOnlyDataProvider()
     {
         yield [true];