minor #14670 [Security] TokenBasedRememberMeServices test to show why encoding username is required (MacDada)

fabpot · fabpot · commit dd674c5d0fd8 · 2015-05-21T06:29:49.000+02:00
This PR was squashed before being merged into the 2.3 branch (closes #14670).

Discussion
----------

[Security] TokenBasedRememberMeServices test to show why encoding username is required

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #14577
| License       | MIT
| Doc PR        | no

241538d shows that it's not actually tested, 257b796 reimplements it with test.

I can remove the POC commit if it's not needed.

Commits
-------

63a9736 [Security] TokenBasedRememberMeServices test to show why encoding username is required
diff --git a/RememberMe/TokenBasedRememberMeServices.php b/RememberMe/TokenBasedRememberMeServices.php
@@ -123,6 +123,8 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
      */
     protected function generateCookieValue($class, $username, $expires, $password)
     {
+        // $username is encoded because it might contain COOKIE_DELIMITER,
+        // we assume other values don't
         return $this->encodeCookie(array(
             $class,
             base64_encode($username),

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,8 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt`
`123`	`123`	`*/`
`124`	`124`	`protected function generateCookieValue($class, $username, $expires, $password)`
`125`	`125`	`{`
	`126`	`+ // $username is encoded because it might contain COOKIE_DELIMITER,`
	`127`	`+ // we assume other values don't`
`126`	`128`	`return $this->encodeCookie(array(`
`127`	`129`	`$class,`
`128`	`130`	`base64_encode($username),`