Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

WebReponse: Use values altered in 'WebResponseSetCookie' hook

Browse source 
The 'WebResponseSetCookie' hook is allowed to alter the data for the
cookie being set. We need to actually use those altered values, rather
than setting $cookie and $data earlier in the function.

Bug: T198525
Change-Id: Ia817e3dc5ce17fdcf5057ee5fcb6980baa1333d6
This commit is contained in:
Brad Jorsch 2018-07-08 15:25:18 -04:00
parent ea7101e6e4
commit 8885b548ad
1 changed files with 23 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
includes/WebResponse.php
View file

@ -151,21 +151,19 @@ class WebResponse {
$expire = time() + $wgCookieExpiration;
}
$cookie = $options['prefix'] . $name;
$data = [
'name' => (string)$cookie,
'value' => (string)$value,
'expire' => (int)$expire,
'path' => (string)$options['path'],
'domain' => (string)$options['domain'],
'secure' => (bool)$options['secure'],
'httpOnly' => (bool)$options['httpOnly'],
];
if ( self::$disableForPostSend ) {
$cookie = $options['prefix'] . $name;
wfDebugLog( 'cookie', 'ignored post-send cookie {cookie}', 'all', [
'cookie' => $cookie,
'data' => $data,
'data' => [
'name' => (string)$cookie,
'value' => (string)$value,
'expire' => (int)$expire,
'path' => (string)$options['path'],
'domain' => (string)$options['domain'],
'secure' => (bool)$options['secure'],
'httpOnly' => (bool)$options['httpOnly'],
],
'exception' => new RuntimeException( 'Ignored post-send cookie' ),
] );
return;
@ -174,6 +172,19 @@ class WebResponse {
$func = $options['raw'] ? 'setrawcookie' : 'setcookie';
if ( Hooks::run( 'WebResponseSetCookie', [ &$name, &$value, &$expire, &$options ] ) ) {
// Note: Don't try to move this earlier to reuse it for self::$disableForPostSend,
// we need to use the altered values from the hook here. (T198525)
$cookie = $options['prefix'] . $name;
$data = [
'name' => (string)$cookie,
'value' => (string)$value,
'expire' => (int)$expire,
'path' => (string)$options['path'],
'domain' => (string)$options['domain'],
'secure' => (bool)$options['secure'],
'httpOnly' => (bool)$options['httpOnly'],
];
// Per RFC 6265, key is name + domain + path
$key = "{$data['name']}\n{$data['domain']}\n{$data['path']}";