Code Coverage for /workspace/src/includes/libs/Cookie.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	81.13% covered (warning)	81.13%	43 / 53	42.86% covered (danger)	42.86%	3 / 7	CRAP	0.00% covered (danger)	0.00%	0 / 1
Cookie	81.13% covered (warning)	81.13%	43 / 53	42.86% covered (danger)	42.86%	3 / 7	49.22	0.00% covered (danger)	0.00%	0 / 1
__construct	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
set	75.00% covered (warning)	75.00%	6 / 8	0.00% covered (danger)	0.00%	0 / 1	4.25
validateCookieDomain	100.00% covered (success)	100.00%	26 / 26	100.00% covered (success)	100.00%	1 / 1	23
serializeToHttpRequest	0.00% covered (danger)	0.00%	0 / 6	0.00% covered (danger)	0.00%	0 / 1	20
canServeDomain	100.00% covered (success)	100.00%	9 / 9	100.00% covered (success)	100.00%	1 / 1	4
canServePath	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	2
isUnExpired	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 1	6

1	<?php
2
3	/**
4	* @license GPL-2.0-or-later
5	*/
6
7	/**
8	* Cookie for HTTP requests.
9	*
10	* @ingroup HTTP
11	*/
12	class Cookie {
13
14	private string $name;
15	private string $value;
16	/** The "expires" attribute as a unix timestamp, 0 for a session cookie (unset or invalid expiry) */
17	private int $expires = 0;
18	private string $path;
19	private ?string $domain = null;
20
21	public function __construct( string $name, string $value, array $attr ) {
22	$this->name = $name;
23	$this->set( $value, $attr );
24	}
25
26	/**
27	* Sets a cookie. Used before a request to set up any individual
28	* cookies. Used internally after a request to parse the
29	* Set-Cookie headers.
30	*
31	* @param string $value The value of the cookie
32	* @param string[] $attr Possible key/values:
33	* expires A date string
34	* path The path this cookie is used on
35	* domain Domain this cookie is used on
36	*/
37	public function set( string $value, array $attr ): void {
38	$this->value = $value;
39
40	if ( isset( $attr['expires'] ) ) {
41	// Invalid date strings become 0, same as if not specified
42	$this->expires = (int)strtotime( $attr['expires'] );
43	}
44
45	$this->path = $attr['path'] ?? '/';
46
47	if ( isset( $attr['domain'] ) ) {
48	if ( self::validateCookieDomain( $attr['domain'] ) ) {
49	$this->domain = $attr['domain'];
50	}
51	} else {
52	throw new InvalidArgumentException( '$attr must contain a domain' );
53	}
54	}
55
56	/**
57	* Return the true if the cookie is valid is valid. Otherwise,
58	* false. The uses a method similar to IE cookie security
59	* described here:
60	* http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html
61	* A better method might be to use a list like
62	* http://publicsuffix.org/
63	*
64	* @todo fixme fails to detect 3-letter top-level domains
65	* @todo fixme fails to detect 2-letter top-level domains for single-domain use (probably
66	* not a big problem in practice, but there are test cases)
67	*
68	* @param string $domain The domain to validate
69	* @param string\|null $originDomain (optional) the domain the cookie originates from
70	*/
71	public static function validateCookieDomain( string $domain, ?string $originDomain = null ): bool {
72	$dc = explode( ".", $domain );
73
74	// Don't allow a trailing dot or addresses without a or just a leading dot
75	if ( str_ends_with( $domain, '.' ) \|\|
76	count( $dc ) <= 1 \|\|
77	( count( $dc ) == 2 && $dc[0] === '' )
78	) {
79	return false;
80	}
81
82	// Only allow full, valid IP addresses
83	if ( preg_match( '/^[0-9.]+$/', $domain ) ) {
84	if ( count( $dc ) !== 4 \|\| ip2long( $domain ) === false ) {
85	return false;
86	}
87
88	if ( $originDomain === null \|\| $originDomain === $domain ) {
89	return true;
90	}
91	}
92
93	// Don't allow cookies for "co.uk" or "gov.uk", etc, but allow "supermarket.uk"
94	if ( strrpos( $domain, "." ) - strlen( $domain ) === -3 ) {
95	if ( ( count( $dc ) === 2 && strlen( $dc[0] ) <= 2 )
96	\|\| ( count( $dc ) === 3 && $dc[0] === '' && strlen( $dc[1] ) <= 2 )
97	) {
98	return false;
99	}
100	if ( ( count( $dc ) === 2 \|\| ( count( $dc ) === 3 && $dc[0] === '' ) )
101	&& preg_match( '/(com\|net\|org\|gov\|edu)\...$/', $domain )
102	) {
103	return false;
104	}
105	}
106
107	if ( $originDomain !== null ) {
108	return $domain === $originDomain
109	\|\| (
110	str_starts_with( $domain, '.' )
111	&& substr_compare( $originDomain, $domain, -strlen( $domain ),
112	case_insensitive: true
113	) === 0
114	);
115	}
116
117	return true;
118	}
119
120	/**
121	* Serialize the cookie jar into a format useful for HTTP Request headers.
122	*
123	* @param string $path The path that will be used. Required.
124	* @param string $domain The domain that will be used. Required.
125	*/
126	public function serializeToHttpRequest( string $path, string $domain ): string {
127	$ret = '';
128
129	if ( $this->canServeDomain( $domain )
130	&& $this->canServePath( $path )
131	&& $this->isUnExpired() ) {
132	$ret = $this->name . '=' . $this->value;
133	}
134
135	return $ret;
136	}
137
138	private function canServeDomain( string $domain ): bool {
139	// No valid "domain" attribute was provided on construction time
140	if ( !$this->domain ) {
141	return false;
142	}
143
144	return $domain === $this->domain
145	\|\| (
146	str_starts_with( $this->domain, '.' )
147	&& substr_compare( $domain, $this->domain, -strlen( $this->domain ),
148	case_insensitive: true
149	) === 0
150	);
151	}
152
153	private function canServePath( string $path ): bool {
154	return str_starts_with( $path, $this->path );
155	}
156
157	private function isUnExpired(): bool {
158	return !$this->expires \|\| $this->expires > time();
159	}
160
161	}