From f0e6aae89ff3f64365eae25bf7ccbaefdfc9890b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Alfaiate?= <s.alfaiate@webarea.fr>
Date: Sat, 24 Aug 2024 10:57:07 +0700
Subject: [PATCH] [Security] Do not try to clear CSRF on stateless request

---
 .../CsrfTokenClearingLogoutListener.php          | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
index ec00bc1d9be6e..7dc7ecb80e513 100644
--- a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
+++ b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
@@ -11,10 +11,12 @@
 
 namespace Symfony\Component\Security\Http\EventListener;
 
+use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\FirewallMapInterface;
 
 /**
  * @author Christian Flothmann <christian.flothmann@sensiolabs.de>
@@ -24,15 +26,25 @@
 class CsrfTokenClearingLogoutListener implements EventSubscriberInterface
 {
     private ClearableTokenStorageInterface $csrfTokenStorage;
+    private FirewallMapInterface $map;
 
-    public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)
+    public function __construct(ClearableTokenStorageInterface $csrfTokenStorage, FirewallMapInterface $map)
     {
         $this->csrfTokenStorage = $csrfTokenStorage;
+        $this->map = $map;
     }
 
     public function onLogout(LogoutEvent $event): void
     {
-        if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
+        $request = $event->getRequest();
+
+        if (
+            $this->csrfTokenStorage instanceof SessionTokenStorage
+            && (
+                ($this->map instanceof FirewallMap && $this->map->getFirewallConfig($request)->isStateless())
+                || !$request->hasPreviousSession()
+            )
+        ) {
             return;
         }