Merge branch '4.4' into 5.3

* 4.4:
  Don't produce TypeErrors for non-string CSRF tokens
  [HttpKernel] Fix SplFileInfo mock in HttpKernelBrowserTest
  Update NativeSessionStorage docblock to match defaults

Author: derrabus

Firewall/LogoutListener.php

@@ -113,7 +113,7 @@ public function authenticate(RequestEvent $event)
         if (null !== $this->csrfTokenManager) {
             $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
-            if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
+            if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');
             }
         }

Firewall/UsernamePasswordFormAuthenticationListener.php

@@ -76,7 +76,7 @@ protected function attemptAuthentication(Request $request)
         if (null !== $this->csrfTokenManager) {
             $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
-            if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
+            if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }

Tests/Firewall/LogoutListenerTest.php

@@ -141,22 +141,27 @@ public function testNoResponseSet()
         $listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST));
     }
 
-    public function testCsrfValidationFails()
+    /**
+     * @dataProvider provideInvalidCsrfTokens
+     */
+    public function testCsrfValidationFails($invalidToken)
     {
         $this->expectException(LogoutException::class);
         $tokenManager = $this->getTokenManager();
 
         [$listener, , $httpUtils, $options] = $this->getListener(null, $tokenManager);
 
         $request = new Request();
-        $request->query->set('_csrf_token', 'token');
+        if (null !== $invalidToken) {
+            $request->query->set('_csrf_token', $invalidToken);
+        }
 
         $httpUtils->expects($this->once())
             ->method('checkRequestPath')
             ->with($request, $options['logout_path'])
             ->willReturn(true);
 
-        $tokenManager->expects($this->once())
+        $tokenManager
             ->method('isTokenValid')
             ->willReturn(false);
 
@@ -199,6 +204,15 @@ public function testLegacyLogoutHandlers()
         $this->assertSame($response, $event->getResponse());
     }
 
+    public function provideInvalidCsrfTokens(): array
+    {
+        return [
+            ['invalid'],
+            [['in' => 'valid']],
+            [null],
+        ];
+    }
+
     private function getTokenManager()
     {
         return $this->createMock(CsrfTokenManagerInterface::class);

Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php

@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
@@ -40,7 +41,7 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
     /**
      * @dataProvider getUsernameForLength
      */
-    public function testHandleWhenUsernameLength($username, $ok)
+    public function testHandleWhenUsernameLength(string $username, bool $ok)
     {
         $request = Request::create('/login_check', 'POST', ['_username' => $username, '_password' => 'symfony']);
         $request->setSession($this->createMock(SessionInterface::class));
@@ -87,10 +88,8 @@ public function testHandleWhenUsernameLength($username, $ok)
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithArray($postOnly)
+    public function testHandleNonStringUsernameWithArray(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "array" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => []]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -104,16 +103,18 @@ public function testHandleNonStringUsernameWithArray($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "array" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithInt($postOnly)
+    public function testHandleNonStringUsernameWithInt(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "int" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => 42]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -127,16 +128,18 @@ public function testHandleNonStringUsernameWithInt($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "int" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithObject($postOnly)
+    public function testHandleNonStringUsernameWithObject(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "stdClass" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => new \stdClass()]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -150,13 +153,17 @@ public function testHandleNonStringUsernameWithObject($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "stdClass" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWith__toString($postOnly)
+    public function testHandleNonStringUsernameWith__toString(bool $postOnly)
     {
         $usernameClass = $this->createMock(DummyUserClass::class);
         $usernameClass
@@ -204,21 +211,86 @@ public function testHandleWhenPasswordAreNull($postOnly)
         $listener($event);
     }
 
-    public function postOnlyDataProvider()
+    /**
+     * @dataProvider provideInvalidCsrfTokens
+     */
+    public function testInvalidCsrfToken($invalidToken)
+    {
+        $formBody = ['_username' => 'fabien', '_password' => 'symfony'];
+        if (null !== $invalidToken) {
+            $formBody['_csrf_token'] = $invalidToken;
+        }
+
+        $request = Request::create('/login_check', 'POST', $formBody);
+        $request->setSession($this->createMock(SessionInterface::class));
+
+        $httpUtils = $this->createMock(HttpUtils::class);
+        $httpUtils
+            ->method('checkRequestPath')
+            ->willReturn(true)
+        ;
+        $httpUtils
+            ->method('createRedirectResponse')
+            ->willReturn(new RedirectResponse('/hello'))
+        ;
+
+        $failureHandler = $this->createMock(AuthenticationFailureHandlerInterface::class);
+        $failureHandler
+            ->expects($this->once())
+            ->method('onAuthenticationFailure')
+            ->willReturn(new Response())
+        ;
+
+        $authenticationManager = $this->createMock(AuthenticationProviderManager::class);
+        $authenticationManager
+            ->expects($this->never())
+            ->method('authenticate')
+        ;
+
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->method('isTokenValid')->willReturn(false);
+
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            $this->createMock(TokenStorageInterface::class),
+            $authenticationManager,
+            $this->createMock(SessionAuthenticationStrategyInterface::class),
+            $httpUtils,
+            'TheProviderKey',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            $failureHandler,
+            ['require_previous_session' => false],
+            null,
+            null,
+            $csrfTokenManager
+        );
+
+        $listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
+    }
+
+    public function postOnlyDataProvider(): array
     {
         return [
             [true],
             [false],
         ];
     }
 
-    public function getUsernameForLength()
+    public function getUsernameForLength(): array
     {
         return [
             [str_repeat('x', Security::MAX_USERNAME_LENGTH + 1), false],
             [str_repeat('x', Security::MAX_USERNAME_LENGTH - 1), true],
         ];
     }
+
+    public function provideInvalidCsrfTokens(): array
+    {
+        return [
+            ['invalid'],
+            [['in' => 'valid']],
+            [null],
+        ];
+    }
 }
 
 class DummyUserClass