mirror of
https://github.com/Combodo/iTop.git
synced 2026-05-22 00:32:16 +02:00
N°6238 Security hardening
This commit is contained in:
Pierre Goiffon
@@ -50,10 +50,10 @@ class CookieJar implements CookieJarInterface
|
||||
$cookieJar = new self();
|
||||
foreach ($cookies as $name => $value) {
|
||||
$cookieJar->setCookie(new SetCookie([
|
||||
'Domain' => $domain,
|
||||
'Name' => $name,
|
||||
'Value' => $value,
|
||||
'Discard' => true
|
||||
'Domain' => $domain,
|
||||
'Name' => $name,
|
||||
'Value' => $value,
|
||||
'Discard' => true,
|
||||
]));
|
||||
}
|
||||
|
||||
@@ -97,7 +97,7 @@ class CookieJar implements CookieJarInterface
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function toArray(): array
|
||||
{
|
||||
@@ -107,12 +107,13 @@ class CookieJar implements CookieJarInterface
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function clear(?string $domain = null, ?string $path = null, ?string $name = null): void
|
||||
{
|
||||
if (!$domain) {
|
||||
$this->cookies = [];
|
||||
|
||||
return;
|
||||
} elseif (!$path) {
|
||||
$this->cookies = \array_filter(
|
||||
@@ -142,7 +143,7 @@ class CookieJar implements CookieJarInterface
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function clearSessionCookies(): void
|
||||
{
|
||||
@@ -155,7 +156,7 @@ class CookieJar implements CookieJarInterface
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function setCookie(SetCookie $cookie): bool
|
||||
{
|
||||
@@ -170,15 +171,15 @@ class CookieJar implements CookieJarInterface
|
||||
$result = $cookie->validate();
|
||||
if ($result !== true) {
|
||||
if ($this->strictMode) {
|
||||
throw new \RuntimeException('Invalid cookie: ' . $result);
|
||||
throw new \RuntimeException('Invalid cookie: '.$result);
|
||||
}
|
||||
$this->removeCookieIfEmpty($cookie);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// Resolve conflicts with previously set cookies
|
||||
foreach ($this->cookies as $i => $c) {
|
||||
|
||||
// Two cookies are identical, when their path, and domain are
|
||||
// identical.
|
||||
if ($c->getPath() != $cookie->getPath() ||
|
||||
@@ -254,7 +255,7 @@ class CookieJar implements CookieJarInterface
|
||||
/**
|
||||
* Computes cookie path following RFC 6265 section 5.1.4
|
||||
*
|
||||
* @link https://tools.ietf.org/html/rfc6265#section-5.1.4
|
||||
* @see https://tools.ietf.org/html/rfc6265#section-5.1.4
|
||||
*/
|
||||
private function getCookiePathFromRequest(RequestInterface $request): string
|
||||
{
|
||||
@@ -290,8 +291,8 @@ class CookieJar implements CookieJarInterface
|
||||
!$cookie->isExpired() &&
|
||||
(!$cookie->getSecure() || $scheme === 'https')
|
||||
) {
|
||||
$values[] = $cookie->getName() . '='
|
||||
. $cookie->getValue();
|
||||
$values[] = $cookie->getName().'='
|
||||
.$cookie->getValue();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ use Psr\Http\Message\ResponseInterface;
|
||||
* necessary. Subclasses are also responsible for storing and retrieving
|
||||
* cookies from a file, database, etc.
|
||||
*
|
||||
* @link https://docs.python.org/2/library/cookielib.html Inspiration
|
||||
* @see https://docs.python.org/2/library/cookielib.html Inspiration
|
||||
* @extends \IteratorAggregate<SetCookie>
|
||||
*/
|
||||
interface CookieJarInterface extends \Countable, \IteratorAggregate
|
||||
|
||||
@@ -71,7 +71,7 @@ class SessionCookieJar extends CookieJar
|
||||
$this->setCookie(new SetCookie($cookie));
|
||||
}
|
||||
} elseif (\strlen($data)) {
|
||||
throw new \RuntimeException("Invalid cookie data");
|
||||
throw new \RuntimeException('Invalid cookie data');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,15 +11,15 @@ class SetCookie
|
||||
* @var array
|
||||
*/
|
||||
private static $defaults = [
|
||||
'Name' => null,
|
||||
'Value' => null,
|
||||
'Domain' => null,
|
||||
'Path' => '/',
|
||||
'Max-Age' => null,
|
||||
'Expires' => null,
|
||||
'Secure' => false,
|
||||
'Discard' => false,
|
||||
'HttpOnly' => false
|
||||
'Name' => null,
|
||||
'Value' => null,
|
||||
'Domain' => null,
|
||||
'Path' => '/',
|
||||
'Max-Age' => null,
|
||||
'Expires' => null,
|
||||
'Secure' => false,
|
||||
'Discard' => false,
|
||||
'HttpOnly' => false,
|
||||
];
|
||||
|
||||
/**
|
||||
@@ -58,7 +58,13 @@ class SetCookie
|
||||
} else {
|
||||
foreach (\array_keys(self::$defaults) as $search) {
|
||||
if (!\strcasecmp($search, $key)) {
|
||||
$data[$search] = $value;
|
||||
if ($search === 'Max-Age') {
|
||||
if (is_numeric($value)) {
|
||||
$data[$search] = (int) $value;
|
||||
}
|
||||
} else {
|
||||
$data[$search] = $value;
|
||||
}
|
||||
continue 2;
|
||||
}
|
||||
}
|
||||
@@ -74,13 +80,49 @@ class SetCookie
|
||||
*/
|
||||
public function __construct(array $data = [])
|
||||
{
|
||||
/** @var array|null $replaced will be null in case of replace error */
|
||||
$replaced = \array_replace(self::$defaults, $data);
|
||||
if ($replaced === null) {
|
||||
throw new \InvalidArgumentException('Unable to replace the default values for the Cookie.');
|
||||
$this->data = self::$defaults;
|
||||
|
||||
if (isset($data['Name'])) {
|
||||
$this->setName($data['Name']);
|
||||
}
|
||||
|
||||
if (isset($data['Value'])) {
|
||||
$this->setValue($data['Value']);
|
||||
}
|
||||
|
||||
if (isset($data['Domain'])) {
|
||||
$this->setDomain($data['Domain']);
|
||||
}
|
||||
|
||||
if (isset($data['Path'])) {
|
||||
$this->setPath($data['Path']);
|
||||
}
|
||||
|
||||
if (isset($data['Max-Age'])) {
|
||||
$this->setMaxAge($data['Max-Age']);
|
||||
}
|
||||
|
||||
if (isset($data['Expires'])) {
|
||||
$this->setExpires($data['Expires']);
|
||||
}
|
||||
|
||||
if (isset($data['Secure'])) {
|
||||
$this->setSecure($data['Secure']);
|
||||
}
|
||||
|
||||
if (isset($data['Discard'])) {
|
||||
$this->setDiscard($data['Discard']);
|
||||
}
|
||||
|
||||
if (isset($data['HttpOnly'])) {
|
||||
$this->setHttpOnly($data['HttpOnly']);
|
||||
}
|
||||
|
||||
// Set the remaining values that don't have extra validation logic
|
||||
foreach (array_diff(array_keys($data), array_keys(self::$defaults)) as $key) {
|
||||
$this->data[$key] = $data[$key];
|
||||
}
|
||||
|
||||
$this->data = $replaced;
|
||||
// Extract the Expires value and turn it into a UNIX timestamp if needed
|
||||
if (!$this->getExpires() && $this->getMaxAge()) {
|
||||
// Calculate the Expires date
|
||||
@@ -92,13 +134,13 @@ class SetCookie
|
||||
|
||||
public function __toString()
|
||||
{
|
||||
$str = $this->data['Name'] . '=' . ($this->data['Value'] ?? '') . '; ';
|
||||
$str = $this->data['Name'].'='.($this->data['Value'] ?? '').'; ';
|
||||
foreach ($this->data as $k => $v) {
|
||||
if ($k !== 'Name' && $k !== 'Value' && $v !== null && $v !== false) {
|
||||
if ($k === 'Expires') {
|
||||
$str .= 'Expires=' . \gmdate('D, d M Y H:i:s \G\M\T', $v) . '; ';
|
||||
$str .= 'Expires='.\gmdate('D, d M Y H:i:s \G\M\T', $v).'; ';
|
||||
} else {
|
||||
$str .= ($v === true ? $k : "{$k}={$v}") . '; ';
|
||||
$str .= ($v === true ? $k : "{$k}={$v}").'; ';
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -394,7 +436,7 @@ class SetCookie
|
||||
return false;
|
||||
}
|
||||
|
||||
return (bool) \preg_match('/\.' . \preg_quote($cookieDomain, '/') . '$/', $domain);
|
||||
return (bool) \preg_match('/\.'.\preg_quote($cookieDomain, '/').'$/', $domain);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -423,8 +465,8 @@ class SetCookie
|
||||
$name
|
||||
)) {
|
||||
return 'Cookie name must not contain invalid characters: ASCII '
|
||||
. 'Control characters (0-31;127), space, tab and the '
|
||||
. 'following characters: ()<>@,;:\"/?={}';
|
||||
.'Control characters (0-31;127), space, tab and the '
|
||||
.'following characters: ()<>@,;:\"/?={}';
|
||||
}
|
||||
|
||||
// Value must not be null. 0 and empty string are valid. Empty strings
|
||||
|
||||
Reference in New Issue
Block a user