security #cve-2021-32693 [SecurityHttp] Fix "Authentication granted with multiple firewalls" (wouterj)

This PR was merged into the 5.3 branch.

Author: nicolas-grekas

Tests/Functional/AuthenticatorTest.php

@@ -87,4 +87,17 @@ public function provideEmailsWithFirewalls()
         yield ['[email protected]', 'main'];
         yield ['[email protected]', 'custom'];
     }
+
+    public function testMultipleFirewalls()
+    {
+        $client = $this->createClient(['test_case' => 'Authenticator', 'root_config' => 'multiple_firewalls.yml']);
+
+        $client->request('POST', '/firewall1/login', [
+            '_username' => '[email protected]',
+            '_password' => 'test',
+        ]);
+
+        $client->request('GET', '/firewall2/profile');
+        $this->assertResponseRedirects('http://localhost/login');
+    }
 }

Tests/Functional/app/Authenticator/multiple_firewalls.yml

@@ -0,0 +1,17 @@
+imports:
+- { resource: ./config.yml }
+- { resource: ./security.yml }
+
+security:
+    enable_authenticator_manager: true
+    firewalls:
+        firewall1:
+            pattern: /firewall1
+            provider: in_memory
+            form_login:
+                check_path: /firewall1/login
+        firewall2:
+            pattern: /firewall2
+            provider: in_memory2
+            form_login:
+                check_path: /firewall2/login

Tests/Functional/app/Authenticator/routing.yml

@@ -18,3 +18,11 @@ security_main_profile:
 security_custom_profile:
     path:     /custom/user_profile
     defaults: { _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\SecurityController::profileAction }
+
+firewall1_login:
+    path: /firewall1/login
+
+firewall2_profile:
+    path: /firewall2/profile
+    defaults:
+        _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ProfileController

composer.json

@@ -29,7 +29,7 @@
         "symfony/security-core": "^5.3",
         "symfony/security-csrf": "^4.4|^5.0",
         "symfony/security-guard": "^5.3",
-        "symfony/security-http": "^5.3"
+        "symfony/security-http": "^5.3.2"
     },
     "require-dev": {
         "doctrine/annotations": "^1.10.4",