Merge branch '2.8' into 3.3

* 2.8:
  [appveyor] set memory_limit=-1
  [Router] Skip anonymous classes when loading annotated routes
  Fixed Request::__toString ignoring cookies
  [Security] Fix fatal error on non string username

Author: nicolas-grekas

Http/Firewall/ContextListener.php

@@ -43,8 +43,6 @@ class ContextListener implements ListenerInterface
     private $registered;
     private $trustResolver;
 
-    private static $unserializeExceptionCode = 0x37313bc;
-
     public function __construct(TokenStorageInterface $tokenStorage, array $userProviders, $contextKey, LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, AuthenticationTrustResolverInterface $trustResolver = null)
     {
         if (empty($contextKey)) {
@@ -185,7 +183,7 @@ private function safelyUnserialize($serializedToken)
         $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
         $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler) {
             if (__FILE__ === $file) {
-                throw new \UnexpectedValueException($msg, self::$unserializeExceptionCode);
+                throw new \UnexpectedValueException($msg, 0x37313bc);
             }
 
             return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
@@ -199,7 +197,7 @@ private function safelyUnserialize($serializedToken)
         restore_error_handler();
         ini_set('unserialize_callback_func', $prevUnserializeHandler);
         if ($e) {
-            if (!$e instanceof \UnexpectedValueException || self::$unserializeExceptionCode !== $e->getCode()) {
+            if (!$e instanceof \UnexpectedValueException || 0x37313bc !== $e->getCode()) {
                 throw $e;
             }
             if ($this->logger) {
@@ -215,6 +213,6 @@ private function safelyUnserialize($serializedToken)
      */
     public static function handleUnserializeCallback($class)
     {
-        throw new \UnexpectedValueException('Class not found: '.$class, self::$unserializeExceptionCode);
+        throw new \UnexpectedValueException('Class not found: '.$class, 0x37313bc);
     }
 }

Http/Firewall/SimpleFormAuthenticationListener.php

@@ -13,6 +13,7 @@
 
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
@@ -98,15 +99,17 @@ protected function attemptAuthentication(Request $request)
             }
         }
 
-        if ($this->options['post_only']) {
-            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
-        } else {
-            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
+        $requestBag = $this->options['post_only'] ? $request->request : $request;
+        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
+        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);
+
+        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
         }
 
-        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+        $username = trim($username);
+
+        if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Invalid username.');
         }
 

Http/Firewall/UsernamePasswordFormAuthenticationListener.php

@@ -13,6 +13,7 @@
 
 use Symfony\Component\HttpFoundation\Request;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@@ -76,14 +77,16 @@ protected function attemptAuthentication(Request $request)
             }
         }
 
-        if ($this->options['post_only']) {
-            $username = trim(ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
-        } else {
-            $username = trim(ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']));
-            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
+        $requestBag = $this->options['post_only'] ? $request->request : $request;
+        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
+        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);
+
+        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
         }
 
+        $username = trim($username);
+
         if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Invalid username.');
         }

Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php

@@ -14,8 +14,15 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
+use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
+use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
+use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 class UsernamePasswordFormAuthenticationListenerTest extends TestCase
 {
@@ -69,6 +76,31 @@ public function testHandleWhenUsernameLength($username, $ok)
         $listener->handle($event);
     }
 
+    /**
+     * @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
+     * @expectedExceptionMessage The key "_username" must be a string, "array" given.
+     */
+    public function testHandleNonStringUsername()
+    {
+        $request = Request::create('/login_check', 'POST', array('_username' => array()));
+        $request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
+
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            new TokenStorage(),
+            $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
+            new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
+            $httpUtils = new HttpUtils(),
+            'foo',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
+            array('require_previous_session' => false)
+        );
+
+        $event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
+
+        $listener->handle($event);
+    }
+
     public function getUsernameForLength()
     {
         return array(