SessionManagerFactory + session validators via config makes validation always fail #7128
Conversation
| @@ -113,16 +112,14 @@ public function createService(ServiceLocatorInterface $services) | |||
| ) { | |||
| $managerConfig = array_merge($managerConfig, $configService['session_manager']); | |||
| } | |||
| // Attach validators to session manager, if any | |||
There was a problem hiding this comment.
why was this comment removed?
There was a problem hiding this comment.
The old code attached validators at that point ($chain->attach(...)). That code has been removed and there are no validators attached at that point anymore, which makes the comment obsolete.
|
Hi guys. Also i think what we should setup validators via So i created another patch for this issue: YDyachenko@feecb0a |
Can you specify where that happens? In my code nothing is attached at $this->setValidatorChain(new ValidatorChain($this->getStorage()));Perhaps you can post a failing unittest for that? That way it is easier to check if that actually happens. |
If session contains validators, they will be attached: Test: /**
* @runInSeparateProcess
*/
public function testFactoryDoesNotAttachValidatorTwoTimes()
{
$storage = new ArrayStorage();
$storage->setMetadata('_VALID', array(
'Zend\Session\Validator\RemoteAddr' => '127.0.0.1',
));
$this->services->setService('Zend\Session\Storage\StorageInterface', $storage);
$config = array(
'session_manager' => array(
'validators' => array(
'Zend\Session\Validator\RemoteAddr',
),
),
);
$this->services->setService('Config', $config);
$manager = $this->services->get('Zend\Session\ManagerInterface');
try {
$manager->start();
} catch (RuntimeException $e) {
// pass
}
$this->assertEquals(1, $manager->getValidatorChain()->getListeners('session.validate')->count());
}
|
Martin-P
force-pushed
the
hotfix/session-validators
branch
from
95cd0c3 to
9f2052f
Compare
|
Did a rebase because I encountered some merge conflicts. @YDyachenko Thanks! I added your test to this PR and fixed the issue for that specific test. |
| @@ -85,6 +88,8 @@ public function testFactoryWillAddValidatorViaConfiguration() | |||
| $this->services->setService('Config', $config); | |||
| $manager = $this->services->get('Zend\Session\ManagerInterface'); | |||
|
|
|||
| $manager->start(); | |||
There was a problem hiding this comment.
This changes the context for the test! The original test omitted it for a specific reason, based on the security issue we addressed.
There was a problem hiding this comment.
Please see the previous discussion: #7094 (comment)
That is why I said it is a BC break, because the validators are now attached after the session has started. This makes sense, because before the session has not started there is no session data to compare with and thus the validators always fail.
In my opening post #7128 (comment) I explained the tests always passed before the security fix and always fail after the security fix. The tests added to detect the security fix still pass, which shows this PR does not compromise the security fix in any way.
This test is not related to the security issue, because:
- If it was here to detect the security issue, it should have failed before the security issue was even addressed. It did not and it always passed the test.
- The commit which fixed the security issue changed nothing about this test: ddbf43a
SessionManagerFactory + session validators via config makes validation always fail
|
Merged to develop for release with 2.4. |
…fix/session-validators SessionManagerFactory + session validators via config makes validation always fail
When using
Zend\Session\Service\SessionManagerFactoryvalidators can be added via config:Before security fix ddbf43a validators always returned true. After the security fix validators always fail. This PR fixes that issue with
Zend\Session\Service\SessionManagerFactory(not to be confused with standalone usage ofZend\Session\SessionManager).It is the same fix as in #7094, but it got ignored because of the security issue.