| Age | Commit message (Collapse) | Author |
|---|
|
Thanks to this huge commit from @xXx-caillou-xXx, we can now write amazingly flexible rules.
|
|
We can simply use the return value of the original `setcookie` :>
|
|
We forgot to set a return value to the setcookie function, thus always returning false. Since very few frameworks/developers are checking the return value, it went unnoticed until we played with Magento, who effectively checks the return value.
|
|
Apparently, PHP doesn't like when you're trying to save some memory when you're playing with strings.
|
|
- There is no need to generate the key if the cookie has no value
- There is no need to generate the key if the cookie length is invalid
- Use yoda condition
|
|
|
|
|
|
Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
|
|
|
|
This is done by using the "samesite" cookie attribute.
|
|
|
|
|
|
|
|
* Fix a cookie encryption issue found by @cfreal
- Use the base64-decoded payload length to allocate memory to decrypt
it, instead of allocating the length of the undecoded one. This has
no security impact, since the base64-encoded string is at least as large
as the decoded one. Since we're using AEAD, there is no way to leak
memory, since this would make the decryption fail.
|
|
|
|
|
