Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Complain about an empty decision strategy #29981

Merged
merged 1 commit into from Feb 21, 2019
Merged

[Security] Complain about an empty decision strategy #29981

merged 1 commit into from Feb 21, 2019

Conversation

corphi
Copy link
Contributor

@corphi corphi commented Jan 24, 2019

Q A
Branch? 3.4
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets -
License MIT
Doc PR -

When an empty string is passed (or objects with a similarly behaving __toString() method) to the constructor, the call to decide causes infinite recursion.

@corphi
Copy link
Contributor Author

corphi commented Jan 26, 2019

The actual issue is of course that the method names are not prefix-free.

xabbuh
xabbuh requested changes Jan 26, 2019
View reviewed changes
Copy link
Member

@xabbuh xabbuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should rather check that the passed value is not an empty string. The proposed solution has the drawback that it will fail again in the future if we introduce a doDecide() method for whatever reason.

@corphi corphi changed the base branch from master to 3.4 January 27, 2019 22:52
@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Jan 30, 2019
@corphi
Copy link
Contributor Author

corphi commented Feb 19, 2019

I applied the requested changes; the label didn’t change, though.

@fabpot
Copy link
Member

fabpot commented Feb 21, 2019

Thank you @corphi.

@fabpot fabpot merged commit 3a22cad into symfony:3.4 Feb 21, 2019
fabpot added a commit that referenced this pull request Feb 21, 2019
@fabpot
bug #29981 [Security] Complain about an empty decision strategy (corphi)
68d5597 
This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Complain about an empty decision strategy

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

When an empty string is passed (or objects with a similarly behaving `__toString()` method) to the constructor, the call to `decide` causes infinite recursion.

Commits
-------

3a22cad Fix infinite recursion when passed an empty string
@corphi corphi deleted the fix-infinite-recursion branch February 21, 2019 22:23
This was referenced Mar 3, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@hacfi hacfi hacfi left review comments

@sstok sstok sstok left review comments

@chalasr chalasr chalasr left review comments

@fabpot fabpot fabpot approved these changes

@xabbuh xabbuh xabbuh approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@corphi @fabpot @nicolas-grekas @hacfi @sstok @xabbuh @chalasr @carsonbot