Skip to content

Commit 1327e38

Browse files
Thibault Gnicolas-grekas
Thibault G
authored and
nicolas-grekas
committed
[Security] Use the session only if it is started when using SameOriginCsrfTokenManager 
1 parent 49f1326 commit 1327e38

File tree

2 files changed

+26
-3
lines changed

2 files changed

+26
-3
lines changed

src/Symfony/Component/Security/Csrf/SameOriginCsrfTokenManager.php

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -207,9 +207,17 @@ public function clearCookies(Request $request, Response $response): void
207207

208208
public function persistStrategy(Request $request): void
209209
{
210-
if ($request->hasSession(true) && $request->attributes->has($this->cookieName)) {
211-
$request->getSession()->set($this->cookieName, $request->attributes->get($this->cookieName));
210+
if (!$request->attributes->has($this->cookieName)
211+
|| !$request->hasSession(true)
212+
|| !($session = $request->getSession())->isStarted()
213+
) {
214+
return;
212215
}
216+
217+
$usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
218+
$usageIndexReference = \PHP_INT_MIN;
219+
$session->set($this->cookieName, $request->attributes->get($this->cookieName));
220+
$usageIndexReference = $usageIndexValue;
213221
}
214222

215223
public function onKernelResponse(ResponseEvent $event): void

src/Symfony/Component/Security/Csrf/Tests/SameOriginCsrfTokenManagerTest.php

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -207,9 +207,11 @@ public function testClearCookies()
207207
$this->assertTrue($response->headers->has('Set-Cookie'));
208208
}
209209

210-
public function testPersistStrategyWithSession()
210+
public function testPersistStrategyWithStartedSession()
211211
{
212212
$session = $this->createMock(Session::class);
213+
$session->method('isStarted')->willReturn(true);
214+
213215
$request = new Request();
214216
$request->setSession($session);
215217
$request->attributes->set('csrf-token', 2 << 8);
@@ -219,6 +221,19 @@ public function testPersistStrategyWithSession()
219221
$this->csrfTokenManager->persistStrategy($request);
220222
}
221223

224+
public function testPersistStrategyWithSessionNotStarted()
225+
{
226+
$session = $this->createMock(Session::class);
227+
228+
$request = new Request();
229+
$request->setSession($session);
230+
$request->attributes->set('csrf-token', 2 << 8);
231+
232+
$session->expects($this->never())->method('set');
233+
234+
$this->csrfTokenManager->persistStrategy($request);
235+
}
236+
222237
public function testOnKernelResponse()
223238
{
224239
$request = new Request([], [], ['csrf-token' => 2], ['csrf-token_test' => 'csrf-token']);

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy