File: security-cve-2019-10911-Security-Add-a-separator-in-the-r.patch

package info (click to toggle)
symfony 2.8.7%2Bdfsg-1.3%2Bdeb9u3
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,888 kB
  • sloc: php: 225,095; xml: 4,083; sh: 475; ansic: 263; makefile: 127
file content (36 lines) | stat: -rw-r--r-- 1,481 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Tue, 16 Apr 2019 10:56:46 +0200
Subject: security #cve-2019-10911 [Security] Add a separator in the remember
 me cookie hash (pborreli)

This PR was merged into the 2.8 branch.

Discussion
----------

[Security] Add a separator in the remember me cookie hash

Based on #89

Commits
-------

9044e3b65d [Security] Add a separator in the remember me cookie hash

Origin: upstream, https://github.com/symfony/symfony/commit/938b21a72e847fe4fdb762299a1b761c89bba56e
---
 .../Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
index a443702..f3c42ba 100644
--- a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
+++ b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
@@ -120,6 +120,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
      */
     protected function generateCookieHash($class, $username, $expires, $password)
     {
-        return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret());
+        return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
     }
 }