bug #41737 [Security] Fix special char used to create cache key (jderusse)

This PR was merged into the 5.3 branch.

Discussion
----------

[Security] Fix special char used to create cache key

| Q             | A
| ------------- | ---
| Branch?       | 5.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | -

The remember Me token's `series` property might contains special chars: because it has been generated with `$series = base64_encode(random_bytes(64));`.

When using this identifier to create cache items, users get Exception `Cache key "foo+bar/baz==" contains reserved characters "{}()/\@:".`

This PR sanitize the property before using it as cache key

Commits
-------

fc9e9ff7a1 Fix special char used to create cache key

Author: wouterj

Authentication/RememberMe/CacheTokenVerifier.php

@@ -43,11 +43,12 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
             return true;
         }
 
-        if (!$this->cache->hasItem($this->cacheKeyPrefix.$token->getSeries())) {
+        $cacheKey = $this->getCacheKey($token);
+        if (!$this->cache->hasItem($cacheKey)) {
             return false;
         }
 
-        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $item = $this->cache->getItem($cacheKey);
         $outdatedToken = $item->get();
 
         return hash_equals($outdatedToken, $tokenValue);
@@ -60,9 +61,14 @@ public function updateExistingToken(PersistentTokenInterface $token, string $tok
     {
         // When a token gets updated, persist the outdated token for $outdatedTokenTtl seconds so we can
         // still accept it as valid in verifyToken
-        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $item = $this->cache->getItem($this->getCacheKey($token));
         $item->set($token->getTokenValue());
         $item->expiresAfter($this->outdatedTokenTtl);
         $this->cache->save($item);
     }
+
+    private function getCacheKey(PersistentTokenInterface $token): string
+    {
+        return $this->cacheKeyPrefix.rawurlencode($token->getSeries());
+    }
 }

Tests/Authentication/RememberMe/CacheTokenVerifierTest.php

@@ -21,22 +21,22 @@ class CacheTokenVerifierTest extends TestCase
     public function testVerifyCurrentToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
+        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
         $this->assertTrue($verifier->verifyToken($token, 'value'));
     }
 
     public function testVerifyFailsInvalidToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
+        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
         $this->assertFalse($verifier->verifyToken($token, 'wrong-value'));
     }
 
     public function testVerifyOutdatedToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $outdatedToken = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
-        $newToken = new PersistentToken('class', 'user', 'series1', 'newvalue', new \DateTime());
+        $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
+        $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTime());
         $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTime());
         $this->assertTrue($verifier->verifyToken($newToken, 'value'));
     }