Merge branch '5.4' into 6.3

nicolas-grekas · nicolas-grekas · commit 19f7b5f5d208 · 2023-11-09T22:20:12.000+01:00
* 5.4:
  [TwigBridge] Add integration tests on twig code helpers
  [TwigBridge] Ensure CodeExtension's filters properly escape their input
  do not emit an error if an issue suppression handler was not used
  [Security] Fix possible session fixation when only the *token* changes
  [HttpClient] fix missing dep
  Update VERSION for 4.4.50
  Update CHANGELOG for 4.4.50
diff --git a/EventListener/SessionStrategyListener.php b/EventListener/SessionStrategyListener.php
@@ -47,7 +47,7 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
             $user = $token->getUserIdentifier();
             $previousUser = $previousToken->getUserIdentifier();
 
-            if ('' !== ($user ?? '') && $user === $previousUser) {
+            if ('' !== ($user ?? '') && $user === $previousUser && \get_class($token) === \get_class($previousToken)) {
                 return;
             }
         }
diff --git a/Tests/EventListener/SessionStrategyListenerTest.php b/Tests/EventListener/SessionStrategyListenerTest.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -81,6 +82,26 @@ public function testRequestWithSamePreviousUser()
         $this->listener->onSuccessfulLogin($event);
     }
 
+    public function testRequestWithSamePreviousUserButDifferentTokenType()
+    {
+        $this->configurePreviousSession();
+
+        $token = $this->createMock(NullToken::class);
+        $token->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+        $previousToken = $this->createMock(UsernamePasswordToken::class);
+        $previousToken->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+
+        $this->sessionAuthenticationStrategy->expects($this->once())->method('onAuthentication')->with($this->request, $token);
+
+        $event = new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', function () {})), $token, $this->request, null, 'main_firewall', $previousToken);
+
+        $this->listener->onSuccessfulLogin($event);
+    }
+
     private function createEvent($firewallName)
     {
         return new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', fn ($username) => new InMemoryUser($username, null))), $this->token, $this->request, null, $firewallName);

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void`
`47`	`47`	`$user = $token->getUserIdentifier();`
`48`	`48`	`$previousUser = $previousToken->getUserIdentifier();`
`49`	`49`
`50`		`- if ('' !== ($user ?? '') && $user === $previousUser) {`
	`50`	`+ if ('' !== ($user ?? '') && $user === $previousUser && \get_class($token) === \get_class($previousToken)) {`
`51`	`51`	`return;`
`52`	`52`	`}`
`53`	`53`	`}`