Merge branch '5.4' into 6.0

nicolas-grekas · nicolas-grekas · commit 95e9e9cdc457 · 2022-03-24T18:11:42.000+01:00
* 5.4:
  [Serializer] Fix denormalizing union types
  bug #42637 [Security] Fixed TOCTOU in RememberMe cache token verifier
  Add missing upgrade note for ldap
  [Mailer] Preserve case of headers
diff --git a/Authentication/RememberMe/CacheTokenVerifier.php b/Authentication/RememberMe/CacheTokenVerifier.php
@@ -45,11 +45,11 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
         }
 
         $cacheKey = $this->getCacheKey($token);
-        if (!$this->cache->hasItem($cacheKey)) {
+        $item = $this->cache->getItem($cacheKey);
+        if (!$item->isHit()) {
             return false;
         }
 
-        $item = $this->cache->getItem($cacheKey);
         $outdatedToken = $item->get();
 
         return hash_equals($outdatedToken, $tokenValue);

Original file line number	Diff line number	Diff line change
`@@ -45,11 +45,11 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`$cacheKey = $this->getCacheKey($token);`
`48`		`- if (!$this->cache->hasItem($cacheKey)) {`
	`48`	`+ $item = $this->cache->getItem($cacheKey);`
	`49`	`+ if (!$item->isHit()) {`
`49`	`50`	`return false;`
`50`	`51`	`}`
`51`	`52`
`52`		`- $item = $this->cache->getItem($cacheKey);`
`53`	`53`	`$outdatedToken = $item->get();`
`54`	`54`
`55`	`55`	`return hash_equals($outdatedToken, $tokenValue);`