From 8fdd1e405797c82f1fafc143658e33f96fd9c4b4 Mon Sep 17 00:00:00 2001 From: Andrew Kharook Date: Fri, 17 Mar 2017 14:11:20 +0200 Subject: [PATCH 1/5] Fix issue #62: Domain cookies are unavailable on subdomains --- src/Plugin/CookiePlugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Plugin/CookiePlugin.php b/src/Plugin/CookiePlugin.php index af306e5..881e199 100644 --- a/src/Plugin/CookiePlugin.php +++ b/src/Plugin/CookiePlugin.php @@ -69,7 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl } // Restrict setting cookie from another domain - if (false === strpos($cookie->getDomain(), $request->getUri()->getHost())) { + if (false === strpos($request->getUri()->getHost(), $cookie->getDomain())) { continue; } From dc58a37afbf9224275dff5b7c612e6a2b93f133c Mon Sep 17 00:00:00 2001 From: Andrew Kharook Date: Fri, 17 Mar 2017 14:26:18 +0200 Subject: [PATCH 2/5] Fix issue #62: Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ce351a..88d71bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Fixed +- `CookiePlugin` allows main domain cookies to be sent/stored for subdomains - `DecoderPlugin` uses the right `FilteredStream` to handle `deflate` content encoding ## 1.4.1 - 2017-02-20 From 247528ccb31ceab840d999424ebd2eed7e9a4e34 Mon Sep 17 00:00:00 2001 From: Andrew Kharook Date: Wed, 22 Mar 2017 19:19:52 +0200 Subject: [PATCH 3/5] Update spec --- spec/Plugin/CookiePluginSpec.php | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/spec/Plugin/CookiePluginSpec.php b/spec/Plugin/CookiePluginSpec.php index 1851876..7b8a149 100644 --- a/spec/Plugin/CookiePluginSpec.php +++ b/spec/Plugin/CookiePluginSpec.php @@ -82,6 +82,41 @@ function it_does_not_load_cookie_if_domain_does_not_match(RequestInterface $requ }, function () {}); } + function it_does_not_load_cookie_on_hackish_domains(RequestInterface $request, UriInterface $uri, Promise $promise) + { + $cookie = new Cookie('name', 'value', 86400, 'test.com'); + $this->cookieJar->addCookie($cookie); + + $request->getUri()->willReturn($uri); + $uri->getHost()->willReturn('hacktest.com'); + + $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled(); + + $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) { + if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) { + return $promise->getWrappedObject(); + } + }, function () {}); + } + + function it_loads_cookie_on_subdomains(RequestInterface $request, UriInterface $uri, Promise $promise) + { + $cookie = new Cookie('name', 'value', 86400, 'test.com'); + $this->cookieJar->addCookie($cookie); + + $request->getUri()->willReturn($uri); + $uri->getHost()->willReturn('www.test.com'); + $uri->getPath()->willReturn('/'); + + $request->withAddedHeader('Cookie', 'name=value')->willReturn($request); + + $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) { + if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) { + return $promise->getWrappedObject(); + } + }, function () {}); + } + function it_does_not_load_cookie_if_path_does_not_match(RequestInterface $request, UriInterface $uri, Promise $promise) { $cookie = new Cookie('name', 'value', 86400, 'test.com', '/sub'); From 8a2dd2b6068c1887f4400dd4543e9b722d849c98 Mon Sep 17 00:00:00 2001 From: Andrew Kharook Date: Wed, 22 Mar 2017 19:24:17 +0200 Subject: [PATCH 4/5] #62: Add more precise domain check --- src/Plugin/CookiePlugin.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Plugin/CookiePlugin.php b/src/Plugin/CookiePlugin.php index 881e199..407cb58 100644 --- a/src/Plugin/CookiePlugin.php +++ b/src/Plugin/CookiePlugin.php @@ -69,7 +69,11 @@ public function handleRequest(RequestInterface $request, callable $next, callabl } // Restrict setting cookie from another domain - if (false === strpos($request->getUri()->getHost(), $cookie->getDomain())) { + if (false === strpos( + '.'.$request->getUri()->getHost(), + '.'.$cookie->getDomain() + ) + ) { continue; } From f5103f02766fd324b3a222ddfbbaf4791adc5055 Mon Sep 17 00:00:00 2001 From: Andrew Kharook Date: Mon, 10 Jul 2017 15:28:40 +0300 Subject: [PATCH 5/5] #62 Adjust security check --- spec/Plugin/CookiePluginSpec.php | 22 ++++++++++++++-------- src/Plugin/CookiePlugin.php | 6 +----- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/spec/Plugin/CookiePluginSpec.php b/spec/Plugin/CookiePluginSpec.php index 7b8a149..675b8bc 100644 --- a/spec/Plugin/CookiePluginSpec.php +++ b/spec/Plugin/CookiePluginSpec.php @@ -84,19 +84,25 @@ function it_does_not_load_cookie_if_domain_does_not_match(RequestInterface $requ function it_does_not_load_cookie_on_hackish_domains(RequestInterface $request, UriInterface $uri, Promise $promise) { + $hackishDomains = [ + 'hacktest.com', + 'test.com.hacked.org', + ]; $cookie = new Cookie('name', 'value', 86400, 'test.com'); $this->cookieJar->addCookie($cookie); - $request->getUri()->willReturn($uri); - $uri->getHost()->willReturn('hacktest.com'); + foreach ($hackishDomains as $domain) { + $request->getUri()->willReturn($uri); + $uri->getHost()->willReturn($domain); - $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled(); + $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled(); - $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) { - if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) { - return $promise->getWrappedObject(); - } - }, function () {}); + $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) { + if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) { + return $promise->getWrappedObject(); + } + }, function () {}); + } } function it_loads_cookie_on_subdomains(RequestInterface $request, UriInterface $uri, Promise $promise) diff --git a/src/Plugin/CookiePlugin.php b/src/Plugin/CookiePlugin.php index 407cb58..8519fce 100644 --- a/src/Plugin/CookiePlugin.php +++ b/src/Plugin/CookiePlugin.php @@ -69,11 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl } // Restrict setting cookie from another domain - if (false === strpos( - '.'.$request->getUri()->getHost(), - '.'.$cookie->getDomain() - ) - ) { + if (!preg_match("/\.{$cookie->getDomain()}$/", '.'.$request->getUri()->getHost())) { continue; }