bug #35792 [Security] Prevent TypeError in case RememberMetoken has n…

…o attached user (nikophil) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Prevent TypeError in case RememberMetoken has no attached user | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #33472 | License | MIT Commits ------- 3515793 fix remember me
symfony · Feb 20, 2020 · aa3637d · aa3637d
2 parents 212841b + 3515793
commit aa3637d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/...fony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php b/...fony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php
@@ -15,7 +15,9 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class RememberMeAuthenticationProvider implements AuthenticationProviderInterface
 {
@@ -49,6 +51,11 @@ public function authenticate(TokenInterface $token)
         }
 
         $user = $token->getUser();
+
+        if (!$token->getUser() instanceof UserInterface) {
+            throw new LogicException(sprintf('Method "%s::getUser()" must return a "%s" instance, "%s" returned.', \get_class($token), UserInterface::class, \is_object($user) ? \get_class($user) : \gettype($user)));
+        }
+
         $this->userChecker->checkPreAuth($user);
         $this->userChecker->checkPostAuth($user);
 

diff --git a/...nent/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php b/...nent/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
@@ -13,8 +13,10 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Provider\RememberMeAuthenticationProvider;
+use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Exception\DisabledException;
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\User\User;
 
 class RememberMeAuthenticationProviderTest extends TestCase
 {
@@ -24,6 +26,7 @@ public function testSupports()
 
         $this->assertTrue($provider->supports($this->getSupportedToken()));
         $this->assertFalse($provider->supports($this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock()));
+        $this->assertFalse($provider->supports($this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\RememberMeToken')->disableOriginalConstructor()->getMock()));
     }
 
     public function testAuthenticateWhenTokenIsNotSupported()
@@ -45,6 +48,17 @@ public function testAuthenticateWhenSecretsDoNotMatch()
         $provider->authenticate($token);
     }
 
+    public function testAuthenticateThrowsOnNonUserInterfaceInstance()
+    {
+        $this->expectException('Symfony\Component\Security\Core\Exception\LogicException');
+        $this->expectExceptionMessage('Method "Symfony\Component\Security\Core\Authentication\Token\RememberMeToken::getUser()" must return a "Symfony\Component\Security\Core\User\UserInterface" instance, "string" returned.');
+
+        $provider = $this->getProvider();
+        $token = new RememberMeToken(new User('dummyuser', null), 'foo', 'test');
+        $token->setUser('stringish-user');
+        $provider->authenticate($token);
+    }
+
     public function testAuthenticateWhenPreChecksFails()
     {
         $this->expectException('Symfony\Component\Security\Core\Exception\DisabledException');