#62 Adjust security check

Andrew Kharook · Andrew Kharook · commit f5103f02766f · 2017-07-10T15:28:40.000+03:00
diff --git a/spec/Plugin/CookiePluginSpec.php b/spec/Plugin/CookiePluginSpec.php
@@ -84,19 +84,25 @@ function it_does_not_load_cookie_if_domain_does_not_match(RequestInterface $requ
 
     function it_does_not_load_cookie_on_hackish_domains(RequestInterface $request, UriInterface $uri, Promise $promise)
     {
+        $hackishDomains = [
+            'hacktest.com',
+            'test.com.hacked.org',
+        ];
         $cookie = new Cookie('name', 'value', 86400, 'test.com');
         $this->cookieJar->addCookie($cookie);
 
-        $request->getUri()->willReturn($uri);
-        $uri->getHost()->willReturn('hacktest.com');
+        foreach ($hackishDomains as $domain) {
+            $request->getUri()->willReturn($uri);
+            $uri->getHost()->willReturn($domain);
 
-        $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled();
+            $request->withAddedHeader('Cookie', 'name=value')->shouldNotBeCalled();
 
-        $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) {
-            if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) {
-                return $promise->getWrappedObject();
-            }
-        }, function () {});
+            $this->handleRequest($request, function (RequestInterface $requestReceived) use ($request, $promise) {
+                if (Argument::is($requestReceived)->scoreArgument($request->getWrappedObject())) {
+                    return $promise->getWrappedObject();
+                }
+            }, function () {});
+        }
     }
 
     function it_loads_cookie_on_subdomains(RequestInterface $request, UriInterface $uri, Promise $promise)
diff --git a/src/Plugin/CookiePlugin.php b/src/Plugin/CookiePlugin.php
@@ -69,11 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl
                     }
 
                     // Restrict setting cookie from another domain
-                    if (false === strpos(
-                            '.'.$request->getUri()->getHost(),
-                            '.'.$cookie->getDomain()
-                        )
-                    ) {
+                    if (!preg_match("/\.{$cookie->getDomain()}$/", '.'.$request->getUri()->getHost())) {
                         continue;
                     }
 

Original file line number	Diff line number	Diff line change
`@@ -69,11 +69,7 @@ public function handleRequest(RequestInterface $request, callable $next, callabl`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`// Restrict setting cookie from another domain`
`72`		`- if (false === strpos(`
`73`		`- '.'.$request->getUri()->getHost(),`
`74`		`- '.'.$cookie->getDomain()`
`75`		`- )`
`76`		`- ) {`
	`72`	`+ if (!preg_match("/\.{$cookie->getDomain()}$/", '.'.$request->getUri()->getHost())) {`
`77`	`73`	`continue;`
`78`	`74`	`}`
`79`	`75`