diff options
| author | xXx-caillou-xXx | 2017-12-18 16:27:00 +0100 |
|---|---|---|
| committer | jvoisin | 2017-12-18 16:27:00 +0100 |
| commit | f70bd2eafc2fdac9fa528a3e649db0178c601b41 (patch) | |
| tree | 5bde4b106b3e24a49bdb061c9eca2ecfe68b9bbc | |
| parent | 75f876fca7587218fdbad9bd10bbe52825591ccc (diff) | |
Fix cookie encryption
Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
| -rw-r--r-- | src/sp_cookie_encryption.c | 2 | ||||
| -rw-r--r-- | src/tests/config/config_samesite_cookies.ini | 2 | ||||
| -rw-r--r-- | src/tests/samesite_cookies.phpt | 2 |
3 files changed, 4 insertions, 2 deletions
diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c index 08be9a6..5189c20 100644 --- a/src/sp_cookie_encryption.c +++ b/src/sp_cookie_encryption.c | |||
| @@ -180,7 +180,7 @@ PHP_FUNCTION(sp_setcookie) { | |||
| 180 | } | 180 | } |
| 181 | 181 | ||
| 182 | /* Shall we encrypt the cookie's value? */ | 182 | /* Shall we encrypt the cookie's value? */ |
| 183 | if (httponly && value) { | 183 | if (cookie_node && cookie_node->encrypt && value) { |
| 184 | zend_string *encrypted_data = encrypt_data(value->val, value->len); | 184 | zend_string *encrypted_data = encrypt_data(value->val, value->len); |
| 185 | ZVAL_STR_COPY(¶ms[1], encrypted_data); | 185 | ZVAL_STR_COPY(¶ms[1], encrypted_data); |
| 186 | zend_string_release(encrypted_data); | 186 | zend_string_release(encrypted_data); |
diff --git a/src/tests/config/config_samesite_cookies.ini b/src/tests/config/config_samesite_cookies.ini index 9fb5f25..1ca498a 100644 --- a/src/tests/config/config_samesite_cookies.ini +++ b/src/tests/config/config_samesite_cookies.ini | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); | 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); |
| 2 | sp.cookie.name("super_cookie").samesite("Lax"); | 2 | sp.cookie.name("super_cookie").samesite("Lax"); |
| 3 | sp.cookie.name("awful_cookie").samesite("strict").encrypt(); | 3 | sp.cookie.name("awful_cookie").samesite("strict").encrypt(); |
| 4 | sp.cookie.name("nice_cookie").samesite("STRICT"); | 4 | sp.cookie.name("nice_cookie").samesite("STRICT").encrypt(); |
| 5 | sp.auto_cookie_secure.enable(); | 5 | sp.auto_cookie_secure.enable(); |
diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt index 70fe10c..12f3d72 100644 --- a/src/tests/samesite_cookies.phpt +++ b/src/tests/samesite_cookies.phpt | |||
| @@ -16,11 +16,13 @@ EOF; | |||
| 16 | <?php | 16 | <?php |
| 17 | setcookie("super_cookie", "super_value"); | 17 | setcookie("super_cookie", "super_value"); |
| 18 | setcookie("awful_cookie", "awful_value"); | 18 | setcookie("awful_cookie", "awful_value"); |
| 19 | setcookie("not_encrypted", "test_value", 1, "1", "1", false, true); | ||
| 19 | setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true); | 20 | setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true); |
| 20 | 21 | ||
| 21 | $expected = array( | 22 | $expected = array( |
| 22 | 'Set-Cookie: super_cookie=super_value; path=; samesite=Lax', | 23 | 'Set-Cookie: super_cookie=super_value; path=; samesite=Lax', |
| 23 | 'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly', | 24 | 'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly', |
| 25 | 'Set-Cookie: not_encrypted=test_value; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; domain=1; HttpOnly', | ||
| 24 | 'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly', | 26 | 'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly', |
| 25 | ); | 27 | ); |
| 26 | 28 | ||