Count cookie parts before accessing the second

symfony · Aug 23, 2022 · 3ca3eb2 · 3ca3eb2
1 parent 447f8b5
commit 3ca3eb2
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/RememberMe/RememberMeDetails.php b/RememberMe/RememberMeDetails.php
@@ -37,12 +37,12 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir
     public static function fromRawCookie(string $rawCookie): self
     {
         $cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);
-        if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
-            throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
-        }
         if (4 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie contains invalid data.');
         }
+        if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
+            throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
+        }
 
         return new static(...$cookieParts);
     }

diff --git a/Tests/Authenticator/RememberMeAuthenticatorTest.php b/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -89,4 +89,12 @@ public function testAuthenticateWithoutOldToken()
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => base64_encode('foo:bar')]);
         $this->authenticator->authenticate($request);
     }
+
+    public function testAuthenticateWithTokenWithoutDelimiter()
+    {
+        $this->expectException(AuthenticationException::class);
+
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => 'invalid']);
+        $this->authenticator->authenticate($request);
+    }
 }