Merge branch '7.4' into 8.0

* 7.4:
  Fix generating logout link with stateless csrf
  [AssetMapper] Fix tests
  [Notifier] Add support for `confirm` option in Slack buttons API
  [DebugBundle] Wire `DumpDataCollector`'s `webMode` argument
  filter should be empty when filtering on all domains
  [Routing] Initialize `router.request_context`'s `_locale` parameter to `%kernel.default_locale%`

Author: nicolas-grekas

Firewall/LogoutListener.php

@@ -69,7 +69,7 @@ public function authenticate(RequestEvent $event): void
         $request = $event->getRequest();
 
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter'], $request->request->all());
 
             if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');

Tests/Firewall/LogoutListenerTest.php

@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\LogoutException;
+use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\Firewall\LogoutListener;
@@ -82,6 +83,49 @@ public function testHandleMatchedPathWithCsrfValidation()
         $this->assertSame($response, $event->getResponse());
     }
 
+    public function testHandleMatchedPathWithCsrfInQueryParamAndBody()
+    {
+        $tokenManager = $this->getTokenManager();
+        $dispatcher = $this->getEventDispatcher();
+
+        [$listener, $tokenStorage, $httpUtils, $options] = $this->getListener($dispatcher, $tokenManager);
+
+        $request = new Request();
+        $request->query->set('_csrf_token', 'token');
+        $request->request->set('_csrf_token', 'token2');
+
+        $httpUtils->expects($this->once())
+            ->method('checkRequestPath')
+            ->with($request, $options['logout_path'])
+            ->willReturn(true);
+
+        $tokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with($this->callback(function ($token) {
+                return $token instanceof CsrfToken && 'token2' === $token->getValue();
+            }))
+            ->willReturn(true);
+
+        $response = new Response();
+        $dispatcher->addListener(LogoutEvent::class, function (LogoutEvent $event) use ($response) {
+            $event->setResponse($response);
+        });
+
+        $tokenStorage->expects($this->once())
+            ->method('getToken')
+            ->willReturn($token = $this->getToken());
+
+        $tokenStorage->expects($this->once())
+            ->method('setToken')
+            ->with(null);
+
+        $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $listener($event);
+
+        $this->assertSame($response, $event->getResponse());
+    }
+
     public function testHandleMatchedPathWithoutCsrfValidation()
     {
         $dispatcher = $this->getEventDispatcher();