Skip to content
This repository was archived by the owner on May 31, 2024. It is now read-only.

Commit fc21759

Browse files
MacDadafabpot
MacDada
authored and
fabpot
committed
[Security] TokenBasedRememberMeServices test to show why encoding username is required
1 parent c7a417a commit fc21759

File tree

2 files changed

+18
-3
lines changed

2 files changed

+18
-3
lines changed

Http/RememberMe/TokenBasedRememberMeServices.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,8 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
125125
*/
126126
protected function generateCookieValue($class, $username, $expires, $password)
127127
{
128+
// $username is encoded because it might contain COOKIE_DELIMITER,
129+
// we assume other values don't
128130
return $this->encodeCookie(array(
129131
$class,
130132
base64_encode($username),

Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,12 @@ public function testAutoLoginDoesNotAcceptAnExpiredCookie()
105105
$this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
106106
}
107107

108-
public function testAutoLogin()
108+
/**
109+
* @dataProvider provideUsernamesForAutoLogin
110+
*
111+
* @param string $username
112+
*/
113+
public function testAutoLogin($username)
109114
{
110115
$user = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
111116
$user
@@ -123,13 +128,13 @@ public function testAutoLogin()
123128
$userProvider
124129
->expects($this->once())
125130
->method('loadUserByUsername')
126-
->with($this->equalTo('foouser'))
131+
->with($this->equalTo($username))
127132
->will($this->returnValue($user))
128133
;
129134

130135
$service = $this->getService($userProvider, array('name' => 'foo', 'always_remember_me' => true, 'lifetime' => 3600));
131136
$request = new Request();
132-
$request->cookies->set('foo', $this->getCookie('fooclass', 'foouser', time() + 3600, 'foopass'));
137+
$request->cookies->set('foo', $this->getCookie('fooclass', $username, time() + 3600, 'foopass'));
133138

134139
$returnedToken = $service->autoLogin($request);
135140

@@ -138,6 +143,14 @@ public function testAutoLogin()
138143
$this->assertEquals('fookey', $returnedToken->getKey());
139144
}
140145

146+
public function provideUsernamesForAutoLogin()
147+
{
148+
return array(
149+
array('foouser', 'Simple username'),
150+
array('foo'.TokenBasedRememberMeServices::COOKIE_DELIMITER.'user', 'Username might contain the delimiter'),
151+
);
152+
}
153+
141154
public function testLogout()
142155
{
143156
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));

0 commit comments

Comments
 (0)