Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
47.54% |
29 / 61 |
|
0.00% |
0 / 7 |
CRAP | |
0.00% |
0 / 1 |
Cookie | |
47.54% |
29 / 61 |
|
0.00% |
0 / 7 |
309.93 | |
0.00% |
0 / 1 |
__construct | |
0.00% |
0 / 2 |
|
0.00% |
0 / 1 |
2 | |||
set | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
20 | |||
validateCookieDomain | |
96.67% |
29 / 30 |
|
0.00% |
0 / 1 |
25 | |||
serializeToHttpRequest | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
20 | |||
canServeDomain | |
0.00% |
0 / 12 |
|
0.00% |
0 / 1 |
30 | |||
canServePath | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
6 | |||
isUnExpired | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
6 |
1 | <?php |
2 | /** |
3 | * Cookie for HTTP requests. |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation; either version 2 of the License, or |
8 | * (at your option) any later version. |
9 | * |
10 | * This program is distributed in the hope that it will be useful, |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | * GNU General Public License for more details. |
14 | * |
15 | * You should have received a copy of the GNU General Public License along |
16 | * with this program; if not, write to the Free Software Foundation, Inc., |
17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
18 | * http://www.gnu.org/copyleft/gpl.html |
19 | * |
20 | * @file |
21 | * @ingroup HTTP |
22 | */ |
23 | |
24 | class Cookie { |
25 | protected $name; |
26 | protected $value; |
27 | protected $expires; |
28 | protected $path; |
29 | protected $domain; |
30 | protected $isSessionKey = true; |
31 | // TO IMPLEMENT protected $secure |
32 | // TO IMPLEMENT? protected $maxAge (add onto expires) |
33 | // TO IMPLEMENT? protected $version |
34 | // TO IMPLEMENT? protected $comment |
35 | |
36 | public function __construct( $name, $value, $attr ) { |
37 | $this->name = $name; |
38 | $this->set( $value, $attr ); |
39 | } |
40 | |
41 | /** |
42 | * Sets a cookie. Used before a request to set up any individual |
43 | * cookies. Used internally after a request to parse the |
44 | * Set-Cookie headers. |
45 | * |
46 | * @param string $value The value of the cookie |
47 | * @param array $attr Possible key/values: |
48 | * expires A date string |
49 | * path The path this cookie is used on |
50 | * domain Domain this cookie is used on |
51 | * @throws InvalidArgumentException |
52 | */ |
53 | public function set( $value, $attr ) { |
54 | $this->value = $value; |
55 | |
56 | if ( isset( $attr['expires'] ) ) { |
57 | $this->isSessionKey = false; |
58 | $this->expires = strtotime( $attr['expires'] ); |
59 | } |
60 | |
61 | $this->path = $attr['path'] ?? '/'; |
62 | |
63 | if ( isset( $attr['domain'] ) ) { |
64 | if ( self::validateCookieDomain( $attr['domain'] ) ) { |
65 | $this->domain = $attr['domain']; |
66 | } |
67 | } else { |
68 | throw new InvalidArgumentException( '$attr must contain a domain' ); |
69 | } |
70 | } |
71 | |
72 | /** |
73 | * Return the true if the cookie is valid is valid. Otherwise, |
74 | * false. The uses a method similar to IE cookie security |
75 | * described here: |
76 | * http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html |
77 | * A better method might be to use a list like |
78 | * http://publicsuffix.org/ |
79 | * |
80 | * @todo fixme fails to detect 3-letter top-level domains |
81 | * @todo fixme fails to detect 2-letter top-level domains for single-domain use (probably |
82 | * not a big problem in practice, but there are test cases) |
83 | * |
84 | * @param string $domain The domain to validate |
85 | * @param string|null $originDomain (optional) the domain the cookie originates from |
86 | * @return bool |
87 | */ |
88 | public static function validateCookieDomain( $domain, $originDomain = null ) { |
89 | $dc = explode( ".", $domain ); |
90 | |
91 | // Don't allow a trailing dot or addresses without a or just a leading dot |
92 | if ( substr( $domain, -1 ) == '.' || |
93 | count( $dc ) <= 1 || |
94 | ( count( $dc ) == 2 && $dc[0] === '' ) |
95 | ) { |
96 | return false; |
97 | } |
98 | |
99 | // Only allow full, valid IP addresses |
100 | if ( preg_match( '/^[0-9.]+$/', $domain ) ) { |
101 | if ( count( $dc ) !== 4 || ip2long( $domain ) === false ) { |
102 | return false; |
103 | } |
104 | |
105 | if ( $originDomain == null || $originDomain == $domain ) { |
106 | return true; |
107 | } |
108 | } |
109 | |
110 | // Don't allow cookies for "co.uk" or "gov.uk", etc, but allow "supermarket.uk" |
111 | if ( strrpos( $domain, "." ) - strlen( $domain ) == -3 ) { |
112 | if ( ( count( $dc ) == 2 && strlen( $dc[0] ) <= 2 ) |
113 | || ( count( $dc ) == 3 && strlen( $dc[0] ) == 0 && strlen( $dc[1] ) <= 2 ) ) { |
114 | return false; |
115 | } |
116 | if ( ( count( $dc ) == 2 || ( count( $dc ) == 3 && $dc[0] == '' ) ) |
117 | && preg_match( '/(com|net|org|gov|edu)\...$/', $domain ) ) { |
118 | return false; |
119 | } |
120 | } |
121 | |
122 | if ( $originDomain != null ) { |
123 | if ( substr( $domain, 0, 1 ) != '.' && $domain != $originDomain ) { |
124 | return false; |
125 | } |
126 | |
127 | if ( substr( $domain, 0, 1 ) == '.' |
128 | && substr_compare( |
129 | $originDomain, |
130 | $domain, |
131 | -strlen( $domain ), |
132 | strlen( $domain ), |
133 | true |
134 | ) != 0 |
135 | ) { |
136 | return false; |
137 | } |
138 | } |
139 | |
140 | return true; |
141 | } |
142 | |
143 | /** |
144 | * Serialize the cookie jar into a format useful for HTTP Request headers. |
145 | * |
146 | * @param string $path The path that will be used. Required. |
147 | * @param string $domain The domain that will be used. Required. |
148 | * @return string |
149 | */ |
150 | public function serializeToHttpRequest( $path, $domain ) { |
151 | $ret = ''; |
152 | |
153 | if ( $this->canServeDomain( $domain ) |
154 | && $this->canServePath( $path ) |
155 | && $this->isUnExpired() ) { |
156 | $ret = $this->name . '=' . $this->value; |
157 | } |
158 | |
159 | return $ret; |
160 | } |
161 | |
162 | /** |
163 | * @param string $domain |
164 | * @return bool |
165 | */ |
166 | protected function canServeDomain( $domain ) { |
167 | if ( $domain == $this->domain |
168 | || ( strlen( $domain ) > strlen( $this->domain ) |
169 | && str_starts_with( $this->domain, '.' ) |
170 | && substr_compare( |
171 | $domain, |
172 | $this->domain, |
173 | -strlen( $this->domain ), |
174 | strlen( $this->domain ), |
175 | true |
176 | ) == 0 |
177 | ) |
178 | ) { |
179 | return true; |
180 | } |
181 | |
182 | return false; |
183 | } |
184 | |
185 | /** |
186 | * @param string $path |
187 | * @return bool |
188 | */ |
189 | protected function canServePath( $path ) { |
190 | return ( $this->path && substr_compare( $this->path, $path, 0, strlen( $this->path ) ) == 0 ); |
191 | } |
192 | |
193 | /** |
194 | * @return bool |
195 | */ |
196 | protected function isUnExpired() { |
197 | return $this->isSessionKey || $this->expires > time(); |
198 | } |
199 | } |