Count cookie parts before accessing the second

MatTheCat · MatTheCat · commit 3ca3eb2a866a · 2022-08-23T12:55:18.000+02:00
diff --git a/RememberMe/RememberMeDetails.php b/RememberMe/RememberMeDetails.php
@@ -37,12 +37,12 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir
     public static function fromRawCookie(string $rawCookie): self
     {
         $cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);
-        if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
-            throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
-        }
         if (4 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie contains invalid data.');
         }
+        if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
+            throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
+        }
 
         return new static(...$cookieParts);
     }
diff --git a/Tests/Authenticator/RememberMeAuthenticatorTest.php b/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -89,4 +89,12 @@ public function testAuthenticateWithoutOldToken()
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => base64_encode('foo:bar')]);
         $this->authenticator->authenticate($request);
     }
+
+    public function testAuthenticateWithTokenWithoutDelimiter()
+    {
+        $this->expectException(AuthenticationException::class);
+
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => 'invalid']);
+        $this->authenticator->authenticate($request);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -37,12 +37,12 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir`
`37`	`37`	`public static function fromRawCookie(string $rawCookie): self`
`38`	`38`	`{`
`39`	`39`	`$cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);`
`40`		`- if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {`
`41`		`- throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');`
`42`		`- }`
`43`	`40`	`if (4 !== \count($cookieParts)) {`
`44`	`41`	`throw new AuthenticationException('The cookie contains invalid data.');`
`45`	`42`	`}`
	`43`	`+ if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {`
	`44`	`+ throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');`
	`45`	`+ }`
`46`	`46`
`47`	`47`	`return new static(...$cookieParts);`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,4 +89,12 @@ public function testAuthenticateWithoutOldToken()`
`89`	`89`	`$request = Request::create('/', 'GET', [], ['_remember_me_cookie' => base64_encode('foo:bar')]);`
`90`	`90`	`$this->authenticator->authenticate($request);`
`91`	`91`	`}`
	`92`	`+`
	`93`	`+ public function testAuthenticateWithTokenWithoutDelimiter()`
	`94`	`+ {`
	`95`	`+ $this->expectException(AuthenticationException::class);`
	`96`	`+`
	`97`	`+ $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => 'invalid']);`
	`98`	`+ $this->authenticator->authenticate($request);`
	`99`	`+ }`
`92`	`100`	`}`