Merge branch '7.2' into 7.3

xabbuh · xabbuh · commit 30b3bf7b6653 · 2025-05-07T10:12:56.000+02:00
* 7.2:
  properly skip signal test if the pcntl extension is not installed
  ensure that all supported e-mail validation modes can be configured
  [Security][LoginLink] Throw InvalidLoginLinkException on invalid parameters
  don't hardcode OS-depending constant values
diff --git a/LoginLink/LoginLinkHandler.php b/LoginLink/LoginLinkHandler.php
@@ -84,9 +84,16 @@ public function consumeLoginLink(Request $request): UserInterface
         if (!$hash = $request->get('hash')) {
             throw new InvalidLoginLinkException('Missing "hash" parameter.');
         }
+        if (!is_string($hash)) {
+            throw new InvalidLoginLinkException('Invalid "hash" parameter.');
+        }
+
         if (!$expires = $request->get('expires')) {
             throw new InvalidLoginLinkException('Missing "expires" parameter.');
         }
+        if (preg_match('/^\d+$/', $expires) !== 1) {
+            throw new InvalidLoginLinkException('Invalid "expires" parameter.');
+        }
 
         try {
             $this->signatureHasher->acceptSignatureHash($userIdentifier, $expires, $hash);
diff --git a/Tests/LoginLink/LoginLinkHandlerTest.php b/Tests/LoginLink/LoginLinkHandlerTest.php
@@ -240,6 +240,30 @@ public function testConsumeLoginLinkWithMissingExpiration()
         $linker->consumeLoginLink($request);
     }
 
+    public function testConsumeLoginLinkWithInvalidExpiration()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash&expires=%E2%80%AA1000000000%E2%80%AC');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
+    public function testConsumeLoginLinkWithInvalidHash()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash[]=an&hash[]=array&expires=1000000000');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
     private function createSignatureHash(string $username, int $expires, array $extraFields = ['emailProperty' => 'ryan@symfonycasts.com', 'passwordProperty' => 'pwhash']): string
     {
         $hasher = new SignatureHasher($this->propertyAccessor, array_keys($extraFields), 's3cret');
