From f7f71450643c74344cc80e8540bb1d1f789bae6d Mon Sep 17 00:00:00 2001
From: Alexandre Lemaire <saeven@saeven.net>
Date: Thu, 9 Mar 2023 09:31:34 -0500
Subject: [PATCH] Patches an in-the-wild attack vector that doesn't yield a
 vulnerability, but throws an error. "strpos() expects parameter 1 to be
 string, int given"

Somehow, it is possible for $_COOKIE to return an integer type as key.
---
 src/Service/AuthenticationService.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Service/AuthenticationService.php b/src/Service/AuthenticationService.php
index 2ea451c..dfda46c 100644
--- a/src/Service/AuthenticationService.php
+++ b/src/Service/AuthenticationService.php
@@ -43,6 +43,7 @@
 use function hash_equals;
 use function hash_hmac;
 use function is_numeric;
+use function is_scalar;
 use function password_hash;
 use function password_needs_rehash;
 use function password_verify;
@@ -498,7 +499,7 @@ private function purgeHashCookies(?string $skipCookie = null)
         $sp = session_get_cookie_params();
         $killTime = time() - 3600;
         foreach ($_COOKIE as $cookieName => $value) {
-            if ($cookieName !== $skipCookie && strpos($cookieName, self::COOKIE_HASH_PREFIX) !== false) {
+            if ($cookieName !== $skipCookie && is_scalar($cookieName) && strpos((string) $cookieName, self::COOKIE_HASH_PREFIX) !== false) {
                 setcookie($cookieName, '', $killTime, '/', $sp['domain'], false, true);
             }
         }
@@ -506,6 +507,7 @@ private function purgeHashCookies(?string $skipCookie = null)
 
     /**
      * @param User $user Used by some password checkers to provide better checking
+     *
      * @throws WeakPasswordException
      */
     private function enforcePasswordStrength(string $password, User $user)
@@ -521,6 +523,7 @@ private function enforcePasswordStrength(string $password, User $user)
      *
      * @param User   $user        The user to whom this password gets assigned
      * @param string $newPassword Cleartext password that's being hashed
+     *
      * @throws NoSuchUserException
      * @throws WeakPasswordException
      */
@@ -544,6 +547,7 @@ public function resetPassword(User $user, string $newPassword)
      *
      * @param User   $user     The user to validate password for
      * @param string $password Cleartext password that'w will be verified
+     *
      * @throws PersistedUserRequiredException
      * @throws UserWithoutAuthenticationRecordException
      */