Merge branch '4.3' into 4.4

* 4.3:
  [Intl] Update the ICU data to 65.1 (4.3 branch)
  Replace deprecated calls in tests
  [Intl] Update the ICU data to 65.1
  Delete 5_Security_issue.md
  [DI] Whitelist validator.auto_mapper in UnusedTagsPass
  [HttpClient] Fixed #33832 NO_PROXY option ignored in NativeHttpClient::request() method
  [Cache] give 100ms before starting the expiration countdown
  [Cache] fix logger usage in CacheTrait::doGet()
  [VarDumper] fix dumping uninitialized SplFileInfo
  Added missing translations.
  Fixed invalid changelog 4.0.0 for VarDumper
  Fixed invalid VarDumper upgrade doc.
  [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array
  Don't let falsey usernames slip through

Author: nicolas-grekas

Firewall/SwitchUserListener.php

@@ -82,9 +82,16 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
     public function __invoke(RequestEvent $event)
     {
         $request = $event->getRequest();
-        $username = $request->get($this->usernameParameter) ?: $request->headers->get($this->usernameParameter);
 
-        if (!$username) {
+        // usernames can be falsy
+        $username = $request->get($this->usernameParameter);
+
+        if (null === $username || '' === $username) {
+            $username = $request->headers->get($this->usernameParameter);
+        }
+
+        // if it's still "empty", nothing to do.
+        if (null === $username || '' === $username) {
             return;
         }
 

Tests/Firewall/SwitchUserListenerTest.php

@@ -212,6 +212,32 @@ public function testSwitchUser()
         $this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
     }
 
+    public function testSwitchUserWorksWithFalsyUsernames()
+    {
+        $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);
+        $user = new User('username', 'password', []);
+
+        $this->tokenStorage->setToken($token);
+        $this->request->query->set('_switch_user', '0');
+
+        $this->accessDecisionManager->expects($this->once())
+            ->method('decide')->with($token, ['ROLE_ALLOWED_TO_SWITCH'])
+            ->willReturn(true);
+
+        $this->userProvider->expects($this->once())
+            ->method('loadUserByUsername')->with('0')
+            ->willReturn($user);
+        $this->userChecker->expects($this->once())
+            ->method('checkPostAuth')->with($user);
+
+        $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
+        $listener($this->event);
+
+        $this->assertSame([], $this->request->query->all());
+        $this->assertSame('', $this->request->server->get('QUERY_STRING'));
+        $this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
+    }
+
     public function testSwitchUserKeepsOtherQueryStringParameters()
     {
         $token = new UsernamePasswordToken('username', '', 'key', ['ROLE_FOO']);