1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From: Ryan Weaver <ryan@thatsquality.com>
Date: Thu, 1 Feb 2018 08:53:47 -0500
Subject: Adding session authentication strategy to Guard to avoid session
fixation
[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication
Origin: backport, https://github.com/symfony/symfony/commit/f2e83ba44df88adea3268ab81380417cb7366538
---
.../Component/Security/Guard/GuardAuthenticatorHandler.php | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
index 5e1351d..c2ba349 100644
--- a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
+++ b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -50,6 +50,7 @@ class GuardAuthenticatorHandler
*/
public function authenticateWithToken(TokenInterface $token, Request $request)
{
+ $this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@@ -136,4 +137,16 @@ class GuardAuthenticatorHandler
is_object($response) ? get_class($response) : gettype($response)
));
}
+
+ private function migrateSession(Request $request)
+ {
+ if (!$request->hasSession() || !$request->hasPreviousSession()) {
+ return;
+ }
+
+ // Destroying the old session is broken in php 5.4.0 - 5.4.10
+ // See https://bugs.php.net/63379
+ $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+ $request->getSession()->migrate($destroy);
+ }
}
|
