Merge pull request #107 from Saeven/feature/strpos-defense

Patches an in-the-wild attack vector that doesn't yield a vulnerabili…

Author: Saeven

src/Service/AuthenticationService.php

@@ -43,6 +43,7 @@
 use function hash_equals;
 use function hash_hmac;
 use function is_numeric;
+use function is_scalar;
 use function password_hash;
 use function password_needs_rehash;
 use function password_verify;
@@ -498,14 +499,15 @@ private function purgeHashCookies(?string $skipCookie = null)
         $sp = session_get_cookie_params();
         $killTime = time() - 3600;
         foreach ($_COOKIE as $cookieName => $value) {
-            if ($cookieName !== $skipCookie && strpos($cookieName, self::COOKIE_HASH_PREFIX) !== false) {
+            if ($cookieName !== $skipCookie && is_scalar($cookieName) && strpos((string) $cookieName, self::COOKIE_HASH_PREFIX) !== false) {
                 setcookie($cookieName, '', $killTime, '/', $sp['domain'], false, true);
             }
         }
     }
 
     /**
      * @param User $user Used by some password checkers to provide better checking
+     *
      * @throws WeakPasswordException
      */
     private function enforcePasswordStrength(string $password, User $user)
@@ -521,6 +523,7 @@ private function enforcePasswordStrength(string $password, User $user)
      *
      * @param User   $user        The user to whom this password gets assigned
      * @param string $newPassword Cleartext password that's being hashed
+     *
      * @throws NoSuchUserException
      * @throws WeakPasswordException
      */
@@ -544,6 +547,7 @@ public function resetPassword(User $user, string $newPassword)
      *
      * @param User   $user     The user to validate password for
      * @param string $password Cleartext password that'w will be verified
+     *
      * @throws PersistedUserRequiredException
      * @throws UserWithoutAuthenticationRecordException
      */