Merge pull request #63 from andrewkharook/cross-subdomain-cookie-sharing-issue

joelwurtz · web-flow · commit 0f92f9733e40 · 2017-07-20T16:19:44.000+02:00
Cross subdomain cookie sharing issue
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,7 @@ $plugin = new RetryPlugin(['delay' => function(RequestInterface $request, Except
 
 ### Fixed
 
+- `CookiePlugin` allows main domain cookies to be sent/stored for subdomains
 - `DecoderPlugin` uses the right `FilteredStream` to handle `deflate` content encoding
 
 
diff --git a/spec/Plugin/CookiePluginSpec.php b/spec/Plugin/CookiePluginSpec.php
@@ -82,6 +82,47 @@ function it_does_not_load_cookie_if_domain_does_not_match(RequestInterface $requ
         }, function () {});
     }
 
+    function it_does_not_load_cookie_on_hackish_domains(RequestInterface $request, UriInterface $uri, Promise $promise)
+    {
+        $hackishDomains = [
+            'hacktest.com',
+            'test.com.hacked.org',
+        ];
+        $cookie = new Cookie('name', 'value', 86400, 'test.com');
+        $this->cookieJar->addCookie($cookie);
+
+        foreach ($hackishDomains as $domain) {
+            $request->getUri()->willReturn($uri);
+            $uri->getHost()->willReturn($domain);
+
+            $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled();
+
+            $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) {
+                if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) {
+                    return $promise->getWrappedObject();
+                }
+            }, function () {});
+        }
+    }
+
+    function it_loads_cookie_on_subdomains(RequestInterface $request, UriInterface $uri, Promise $promise)
+    {
+        $cookie = new Cookie('name', 'value', 86400, 'test.com');
+        $this->cookieJar->addCookie($cookie);
+
+        $request->getUri()->willReturn($uri);
+        $uri->getHost()->willReturn('www.test.com');
+        $uri->getPath()->willReturn('/');
+
+        $request->withAddedHeader('Cookie', 'name=value')->willReturn($request);
+
+        $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) {
+            if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) {
+                return $promise->getWrappedObject();
+            }
+        }, function () {});
+    }
+
     function it_does_not_load_cookie_if_path_does_not_match(RequestInterface $request, UriInterface $uri, Promise $promise)
     {
         $cookie = new Cookie('name', 'value', 86400, 'test.com', '/sub');
diff --git a/src/Plugin/CookiePlugin.php b/src/Plugin/CookiePlugin.php
@@ -69,7 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl
                     }
 
                     // Restrict setting cookie from another domain
-                    if (false === strpos($cookie->getDomain(), $request->getUri()->getHost())) {
+                    if (!preg_match("/\.{$cookie->getDomain()}$/", '.'.$request->getUri()->getHost())) {
                         continue;
                     }
 

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ $plugin = new RetryPlugin(['delay' => function(RequestInterface $request, Except`
`37`	`37`
`38`	`38`	`### Fixed`
`39`	`39`
	`40`	+- `CookiePlugin` allows main domain cookies to be sent/stored for subdomains
`40`	`41`	- `DecoderPlugin` uses the right `FilteredStream` to handle `deflate` content encoding
`41`	`42`
`42`	`43`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`// Restrict setting cookie from another domain`
`72`		`- if (false === strpos($cookie->getDomain(), $request->getUri()->getHost())) {`
	`72`	`+ if (!preg_match("/\.{$cookie->getDomain()}$/", '.'.$request->getUri()->getHost())) {`
`73`	`73`	`continue;`
`74`	`74`	`}`
`75`	`75`