bug #60785 [Security] Handle non-callable implementations of FirewallListenerInterface (MatTheCat)

nicolas-grekas · nicolas-grekas · commit 333978b0b442 · 2025-06-15T11:55:19.000+02:00
This PR was merged into the 6.4 branch. Discussion ---------- [Security] Handle non-callable implementations of `FirewallListenerInterface` | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #60614 (comment) | License | MIT Commits ------- fbcbabd [Security] Handle non-callable implementations of `FirewallListenerInterface`
diff --git a/src/Symfony/Component/Security/Http/Firewall.php b/src/Symfony/Component/Security/Http/Firewall.php
@@ -125,7 +125,11 @@ public static function getSubscribedEvents()
     protected function callListeners(RequestEvent $event, iterable $listeners)
     {
         foreach ($listeners as $listener) {
-            $listener($event);
+            if (!$listener instanceof FirewallListenerInterface) {
+                $listener($event);
+            } elseif (false !== $listener->supports($event->getRequest())) {
+                $listener->authenticate($event);
+            }
 
             if ($event->hasResponse()) {
                 break;
diff --git a/src/Symfony/Component/Security/Http/Tests/FirewallTest.php b/src/Symfony/Component/Security/Http/Tests/FirewallTest.php
@@ -18,7 +18,9 @@
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Http\Firewall;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 
 class FirewallTest extends TestCase
@@ -97,4 +99,59 @@ public function testOnKernelRequestWithSubRequest()
 
         $this->assertFalse($event->hasResponse());
     }
+
+    public function testListenersAreCalled()
+    {
+        $calledListeners = [];
+
+        $callableListener = static function() use(&$calledListeners) { $calledListeners[] = 'callableListener'; };
+        $firewallListener = new class($calledListeners) implements FirewallListenerInterface {
+            public function __construct(private array &$calledListeners) {}
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                $this->calledListeners[] = 'firewallListener';
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
+        };
+        $callableFirewallListener = new class($calledListeners) extends AbstractListener {
+            public function __construct(private array &$calledListeners) {}
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                $this->calledListeners[] = 'callableFirewallListener';
+            }
+        };
+
+        $request = $this->createMock(Request::class);
+
+        $map = $this->createMock(FirewallMapInterface::class);
+        $map
+            ->expects($this->once())
+            ->method('getListeners')
+            ->with($this->equalTo($request))
+            ->willReturn([[$callableListener, $firewallListener, $callableFirewallListener], null, null])
+        ;
+
+        $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $firewall = new Firewall($map, $this->createMock(EventDispatcherInterface::class));
+        $firewall->onKernelRequest($event);
+
+        $this->assertSame(['callableListener', 'firewallListener', 'callableFirewallListener'], $calledListeners);
+    }
 }
