Merge branch '6.4' into 7.0

nicolas-grekas · nicolas-grekas · commit a4f432b43f68 · 2023-07-13T16:59:16.000+02:00
* 6.4:
  Update FileProfilerStorage.php
  [Security] Allow custom scheme to be used as redirection URIs
  [Validator] Do not mock metadata factory on debug command tests
  [HttpKernel][WebProfilerBundle] Fix search feature
  [ErrorHandler] Avoid compile crash while trying to find candidate when a class is not found
  [Security] Make `PersistentToken` immutable and tell `TokenProviderInterface::updateToken()` implementations should accept `DateTimeInterface`
  do not listen to signals if the pcntl extension is missing
  [DependencyInjection] Improve reporting named autowiring aliases
  [DependencyInjection] Make better use of memory and CPU during auto-discovery
  update Intl component to take into account B-variant when converting Alpha3 to Alpha2. fixing issue with Darwin.
  [VarDumper] Fix dumping `ArrayObject` with `DumpDataCollector`
  [VarDumper] Add tests to demonstrate a bug when dumping ArrayObject with full stack fmk
  [DebugBundle][FrameworkBundle] Fix using the framework without the Console component
  [FrameworkBundle] Add missing monolog channel tag to the `messenger:failed:retry` command
  fetch all known ChoiceType values at once
  [RateLimiter] fix incorrect retryAfter of FixedWindow
  Fix Finder phpdoc
  [TwigBundle] Allow omitting the `autoescape_service_method` option when `autoescape_service` is set to an invokable service id
  [PropertyAccess] Auto-cast from/to DateTime/Immutable when appropriate
diff --git a/HttpUtils.php b/HttpUtils.php
@@ -135,7 +135,9 @@ public function checkRequestPath(Request $request, string $path): bool
      */
     public function generateUri(Request $request, string $path): string
     {
-        if (str_starts_with($path, 'http') || !$path) {
+        $url = parse_url($path);
+
+        if ('' === $path || isset($url['scheme'], $url['host'])) {
             return $path;
         }
 
diff --git a/RememberMe/PersistentRememberMeHandler.php b/RememberMe/PersistentRememberMeHandler.php
@@ -51,7 +51,7 @@ public function createRememberMeCookie(UserInterface $user): void
         $series = random_bytes(66);
         $tokenValue = strtr(base64_encode(substr($series, 33)), '+/=', '-_~');
         $series = strtr(base64_encode(substr($series, 0, 33)), '+/=', '-_~');
-        $token = new PersistentToken($user::class, $user->getUserIdentifier(), $series, $tokenValue, new \DateTime());
+        $token = new PersistentToken($user::class, $user->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable());
 
         $this->tokenProvider->createNewToken($token);
         $this->createCookie(RememberMeDetails::fromPersistentToken($token, time() + $this->options['lifetime']));
@@ -85,7 +85,7 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
     public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
     {
         [$lastUsed, $series, $tokenValue, $class] = explode(':', $rememberMeDetails->getValue(), 4);
-        $persistentToken = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTime('@'.$lastUsed));
+        $persistentToken = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed));
 
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
diff --git a/Tests/HttpUtilsTest.php b/Tests/HttpUtilsTest.php
@@ -58,6 +58,54 @@ public function testCreateRedirectResponseWithRequestsDomain()
         $this->assertTrue($response->isRedirect('http://localhost/blog'));
     }
 
+    /**
+     * @dataProvider validRequestDomainUrls
+     */
+    public function testCreateRedirectResponse(?string $domainRegexp, string $path, string $expectedRedirectUri)
+    {
+        $utils = new HttpUtils($this->getUrlGenerator(), null, $domainRegexp);
+        $response = $utils->createRedirectResponse($this->getRequest(), $path);
+
+        $this->assertTrue($response->isRedirect($expectedRedirectUri));
+        $this->assertEquals(302, $response->getStatusCode());
+    }
+
+    public static function validRequestDomainUrls()
+    {
+        return [
+            '/foobar' => [
+                null,
+                '/foobar',
+                'http://localhost/foobar',
+            ],
+            'http://symfony.com/ without domain regex' => [
+                null,
+                'http://symfony.com/',
+                'http://symfony.com/',
+            ],
+            'http://localhost/blog with #^https?://symfony\.com$#i' => [
+                '#^https?://symfony\.com$#i',
+                'http://symfony.com/blog',
+                'http://symfony.com/blog',
+            ],
+            'http://localhost/blog with #^https?://%s$#i' => [
+                '#^https?://%s$#i',
+                'http://localhost/blog',
+                'http://localhost/blog',
+            ],
+            'custom scheme' => [
+                null,
+                'android-app://com.google.android.gm/',
+                'android-app://com.google.android.gm/',
+            ],
+            'custom scheme with all URL components' => [
+                null,
+                'android-app://foo:bar@www.example.com:8080/software/index.html?lite=true#section1',
+                'android-app://foo:bar@www.example.com:8080/software/index.html?lite=true#section1',
+            ],
+        ];
+    }
+
     /**
      * @dataProvider badRequestDomainUrls
      */
@@ -77,6 +125,7 @@ public static function badRequestDomainUrls()
             ['http:/\\pirate.net/foo'],
             ['http:\\/pirate.net/foo'],
             ['http://////pirate.net/foo'],
+            ['http:///foo'],
         ];
     }
 
diff --git a/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/Tests/RememberMe/PersistentRememberMeHandlerTest.php
@@ -78,7 +78,7 @@ public function testConsumeRememberMeCookieValid()
         $this->tokenProvider->expects($this->any())
             ->method('loadTokenBySeries')
             ->with('series1')
-            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('-10 min')))
+            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTimeImmutable('-10 min')))
         ;
 
         $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');
@@ -106,7 +106,7 @@ public function testConsumeRememberMeCookieValidByValidatorWithoutUpdate()
         $verifier = $this->createMock(TokenVerifierInterface::class);
         $handler = new PersistentRememberMeHandler($this->tokenProvider, $this->userProvider, $this->requestStack, [], null, $verifier);
 
-        $persistentToken = new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('30 seconds'));
+        $persistentToken = new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTimeImmutable('30 seconds'));
 
         $this->tokenProvider->expects($this->any())
             ->method('loadTokenBySeries')
@@ -133,7 +133,7 @@ public function testConsumeRememberMeCookieInvalidToken()
         $this->tokenProvider->expects($this->any())
             ->method('loadTokenBySeries')
             ->with('series1')
-            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue1', new \DateTime('-10 min')));
+            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue1', new \DateTimeImmutable('-10 min')));
 
         $this->tokenProvider->expects($this->never())->method('updateToken')->with('series1');
 
@@ -148,7 +148,7 @@ public function testConsumeRememberMeCookieExpired()
         $this->tokenProvider->expects($this->any())
             ->method('loadTokenBySeries')
             ->with('series1')
-            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('@'.(time() - (31536000 + 1)))));
+            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTimeImmutable('@'.(time() - (31536000 + 1)))));
 
         $this->tokenProvider->expects($this->never())->method('updateToken')->with('series1');
 
@@ -160,7 +160,7 @@ public function testBase64EncodedTokens()
         $this->tokenProvider->expects($this->any())
             ->method('loadTokenBySeries')
             ->with('series1')
-            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('-10 min')))
+            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTimeImmutable('-10 min')))
         ;
 
         $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,9 @@ public function checkRequestPath(Request $request, string $path): bool`
`135`	`135`	`*/`
`136`	`136`	`public function generateUri(Request $request, string $path): string`
`137`	`137`	`{`
`138`		`- if (str_starts_with($path, 'http') \|\| !$path) {`
	`138`	`+ $url = parse_url($path);`
	`139`	`+`
	`140`	`+ if ('' === $path \|\| isset($url['scheme'], $url['host'])) {`
`139`	`141`	`return $path;`
`140`	`142`	`}`
`141`	`143`