From 36c5df4589cfce22ab7dead0303a7eb1b146ff6d Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Fri, 8 Feb 2019 09:29:15 +0100 Subject: [PATCH] [SecurityBundle] Deprecate the normalization of the cookie names --- UPGRADE-5.0.md | 9 ++++++-- .../Bundle/SecurityBundle/CHANGELOG.md | 14 +++++++++--- .../DependencyInjection/MainConfiguration.php | 17 ++++++++++++++ .../CompleteConfigurationTest.php | 14 ++++++++++++ .../Fixtures/php/logout_delete_cookies.php | 21 ++++++++++++++++++ .../Fixtures/xml/logout_delete_cookies.xml | 22 +++++++++++++++++++ .../Fixtures/yml/logout_delete_cookies.yml | 15 +++++++++++++ 7 files changed, 107 insertions(+), 5 deletions(-) create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_delete_cookies.php create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_delete_cookies.xml create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_delete_cookies.yml diff --git a/UPGRADE-5.0.md b/UPGRADE-5.0.md index 58bb2035bc550..f576c87890532 100644 --- a/UPGRADE-5.0.md +++ b/UPGRADE-5.0.md @@ -192,7 +192,7 @@ HttpKernel * The `Kernel::getRootDir()` and the `kernel.root_dir` parameter have been removed * The `KernelInterface::getName()` and the `kernel.name` parameter have been removed * Removed the first and second constructor argument of `ConfigDataCollector` - * Removed `ConfigDataCollector::getApplicationName()` + * Removed `ConfigDataCollector::getApplicationName()` * Removed `ConfigDataCollector::getApplicationVersion()` Monolog @@ -278,6 +278,11 @@ SecurityBundle use Guard instead. * The `SimpleFormFactory` and `SimplePreAuthenticationFactory` classes have been removed, use Guard instead. + * The names of the cookies configured in the `logout.delete_cookies` option are + no longer normalized. If any of your cookie names has dashes they won't be + changed to underscores. + Before: `my-cookie` deleted the `my_cookie` cookie (with an underscore). + After: `my-cookie` deletes the `my-cookie` cookie (with a dash). Serializer ---------- @@ -326,5 +331,5 @@ Workflow Yaml ---- - * The parser is now stricter and will throw a `ParseException` when a + * The parser is now stricter and will throw a `ParseException` when a mapping is found inside a multi-line string. diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index 812c22eab65eb..84219a99f08d1 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -1,10 +1,18 @@ CHANGELOG ========= +4.3.0 +----- + + * The normalization of the cookie names configured in the `logout.delete_cookies` + option is deprecated and will be disabled in Symfony 5.0. This affects to cookies + with dashes in their names. For example, starting from Symfony 5.0, the `my-cookie` + name will delete `my-cookie` (with a dash) instead of `my_cookie` (with an underscore). + 4.2.0 ----- - * Using the `security.authentication.trust_resolver.anonymous_class` and + * Using the `security.authentication.trust_resolver.anonymous_class` and `security.authentication.trust_resolver.rememberme_class` parameters to define the token classes is deprecated. To use custom tokens extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`. @@ -17,7 +25,7 @@ CHANGELOG * Deprecated the `SimpleFormFactory` and `SimplePreAuthenticationFactory` classes, use Guard instead. * Added `port` in access_control * Added individual voter decisions to the profiler - + 4.1.0 ----- @@ -50,7 +58,7 @@ CHANGELOG * Tagging voters with the `security.voter` tag without implementing the `VoterInterface` on the class is now deprecated and will be removed in 4.0. * [BC BREAK] `FirewallContext::getListeners()` now returns `\Traversable|array` - * added info about called security listeners in profiler + * added info about called security listeners in profiler * Added `logout_on_user_change` to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration. diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php index c8334313a5c61..6b3ba9e8fdbfb 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php @@ -218,10 +218,27 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto ->fixXmlConfig('delete_cookie') ->children() ->arrayNode('delete_cookies') + ->normalizeKeys(false) ->beforeNormalization() ->ifTrue(function ($v) { return \is_array($v) && \is_int(key($v)); }) ->then(function ($v) { return array_map(function ($v) { return ['name' => $v]; }, $v); }) ->end() + ->beforeNormalization() + ->ifArray()->then(function ($v) { + foreach ($v as $originalName => $cookieConfig) { + if (false !== strpos($originalName, '-')) { + $normalizedName = str_replace('-', '_', $originalName); + @trigger_error(sprintf('Normalization of cookie names is deprecated since Symfony 4.3. Starting from Symfony 5.0, the "%s" cookie configured in "logout.delete_cookies" will delete the "%s" cookie instead of the "%s" cookie.', $originalName, $originalName, $normalizedName), E_USER_DEPRECATED); + + // normalize cookie names manually for BC reasons. Remove it in Symfony 5.0. + $v[$normalizedName] = $cookieConfig; + unset($v[$originalName]); + } + } + + return $v; + }) + ->end() ->useAttributeAsKey('name') ->prototype('array') ->children() diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php index c2511ff280d5f..f9102edfb07bf 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php @@ -506,6 +506,20 @@ public function testSimpleAuth() ]], $listeners); } + /** + * @group legacy + * @expectedDeprecation Normalization of cookie names is deprecated since Symfony 4.3. Starting from Symfony 5.0, the "cookie1-name" cookie configured in "logout.delete_cookies" will delete the "cookie1-name" cookie instead of the "cookie1_name" cookie. + * @expectedDeprecation Normalization of cookie names is deprecated since Symfony 4.3. Starting from Symfony 5.0, the "cookie3-long_name" cookie configured in "logout.delete_cookies" will delete the "cookie3-long_name" cookie instead of the "cookie3_long_name" cookie. + */ + public function testLogoutDeleteCookieNamesNormalization() + { + $container = $this->getContainer('logout_delete_cookies'); + $cookiesToDelete = $container->getDefinition('security.logout.handler.cookie_clearing.main')->getArgument(0); + $expectedCookieNames = ['cookie2_name', 'cookie1_name', 'cookie3_long_name']; + + $this->assertSame($expectedCookieNames, array_keys($cookiesToDelete)); + } + protected function getContainer($file) { $file .= '.'.$this->getFileExtension(); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_delete_cookies.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_delete_cookies.php new file mode 100644 index 0000000000000..8ffe12e3eb929 --- /dev/null +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_delete_cookies.php @@ -0,0 +1,21 @@ +loadFromExtension('security', [ + 'providers' => [ + 'default' => ['id' => 'foo'], + ], + + 'firewalls' => [ + 'main' => [ + 'provider' => 'default', + 'form_login' => true, + 'logout' => [ + 'delete_cookies' => [ + 'cookie1-name' => true, + 'cookie2_name' => true, + 'cookie3-long_name' => ['path' => '/'], + ], + ], + ], + ], +]); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_delete_cookies.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_delete_cookies.xml new file mode 100644 index 0000000000000..3243650c3294a --- /dev/null +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_delete_cookies.xml @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_delete_cookies.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_delete_cookies.yml new file mode 100644 index 0000000000000..09bea8c13ab37 --- /dev/null +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_delete_cookies.yml @@ -0,0 +1,15 @@ +security: + providers: + default: + id: foo + + firewalls: + main: + provider: default + form_login: true + logout: + delete_cookies: + cookie1-name: ~ + cookie2_name: ~ + cookie3-long_name: + path: '/' pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy