Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SecurityBundle] fix accepting env vars in remember-me configurations #36483

Merged
merged 1 commit into from Apr 18, 2020

Conversation

zek
Copy link
Contributor

@zek zek commented Apr 17, 2020

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #36271
License MIT
Doc PR -

As @wouterj explained we cannot use env variables after #35910 merged.

Hmm, so I'm guessing this is what happens:

  • lifetime is now an integerNode()
  • For the Config component (which IIRC doesn't know anything about env variables), you're passing a string: "%env(int:REMEMBER_ME_COOKIE_LIFETIME)%"
  • This throws an error, although if it wouldn't, the DI component would sucessfully process the string into a integer before it's used by any PHP class.

So we either make Config aware of environment variables (that's probably a huge feature) or we revert the integerNode() changes (as you suggested).

@HeahDude am I mislooking something, or would reverting these 2 lines not result in much harm? (only a little less strict config processor)

@@ -143,11 +143,10 @@ public function addConfiguration(NodeDefinition $node)
->booleanNode('catch_exceptions')->defaultTrue()->end()
;

// Be carefull! We should call scalarNode otherwise can't use `env variables` in configuration.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be removed and replaced by a non-regression test instead :)

@nicolas-grekas nicolas-grekas changed the title [Security] Revert Changes that causes bug [Security] fix accepting env vars in remember_me configurations Apr 18, 2020
@nicolas-grekas nicolas-grekas changed the title [Security] fix accepting env vars in remember_me configurations [Security] fix accepting env vars in remember-me configurations Apr 18, 2020
@nicolas-grekas nicolas-grekas changed the title [Security] fix accepting env vars in remember-me configurations [SecurityBundle] fix accepting env vars in remember-me configurations Apr 18, 2020
@nicolas-grekas
Copy link
Member

Thank you @zek.

@nicolas-grekas nicolas-grekas merged commit a347a84 into symfony:3.4 Apr 18, 2020
This was referenced Apr 28, 2020
@zek zek deleted the 3.4 branch June 22, 2020 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants