Merge branch '5.4' into 6.0

nicolas-grekas · nicolas-grekas · commit feeeebb645cb · 2022-11-30T18:16:57.000+01:00
* 5.4:
  [Notifier] Fix markdown
  Update PR template
  Bump Symfony version to 5.4.17
  Update VERSION for 5.4.16
  Update CHANGELOG for 5.4.16
  Update VERSION for 4.4.49
  Update CONTRIBUTORS for 4.4.49
  Update CHANGELOG for 4.4.49
  [Security][LoginLink] Throw InvalidLoginLinkException on missing parameter
diff --git a/LoginLink/LoginLinkHandler.php b/LoginLink/LoginLinkHandler.php
@@ -89,8 +89,12 @@ public function consumeLoginLink(Request $request): UserInterface
             throw new InvalidLoginLinkException('User not found.', 0, $exception);
         }
 
-        $hash = $request->get('hash');
-        $expires = $request->get('expires');
+        if (!$hash = $request->get('hash')) {
+            throw new InvalidLoginLinkException('Missing "hash" parameter.');
+        }
+        if (!$expires = $request->get('expires')) {
+            throw new InvalidLoginLinkException('Missing "expires" parameter.');
+        }
 
         try {
             $this->signatureHasher->verifySignatureHash($user, $expires, $hash);
diff --git a/Tests/LoginLink/LoginLinkHandlerTest.php b/Tests/LoginLink/LoginLinkHandlerTest.php
@@ -182,6 +182,30 @@ public function testConsumeLoginLinkExceedsMaxUsage()
         $linker->consumeLoginLink($request);
     }
 
+    public function testConsumeLoginLinkWithMissingHash()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&expires=10000');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
+    public function testConsumeLoginLinkWithMissingExpiration()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
     private function createSignatureHash(string $username, int $expires, array $extraFields): string
     {
         $fields = [base64_encode($username), $expires];
