From 5a224ee0c92d1639395d6a0c629316ae64226125 Mon Sep 17 00:00:00 2001 From: xXx-caillou-xXx Date: Fri, 24 Nov 2017 14:03:37 +0100 Subject: Implement anti csrf measures This is done by using the "samesite" cookie attribute.--- src/snuffleupagus.c | 15 +++--- src/sp_config.c | 2 +- src/sp_config.h | 23 ++++++-- src/sp_config_keywords.c | 53 +++++++++++++------ src/sp_config_keywords.h | 4 +- src/sp_cookie_encryption.c | 39 ++++++++++---- src/sp_cookie_encryption.h | 2 + src/tests/broken_conf_no_cookie_action.phpt | 9 ++++ src/tests/broken_conf_no_cookie_name.phpt | 2 +- src/tests/broken_conf_samesite.phpt | 9 ++++ src/tests/broken_conf_weird_keyword.phpt | 2 +- src/tests/config/broken_conf_cookie_action.ini | 1 + src/tests/config/broken_conf_cookie_samesite.ini | 1 + src/tests/config/broken_conf_line_empty_string.ini | 2 +- src/tests/config/broken_conf_line_no_closing.ini | 2 +- src/tests/config/broken_conf_lots_of_quotes.ini | 2 +- src/tests/config/broken_conf_wrong_quotes.ini | 2 +- src/tests/config/config_encrypted_cookies.ini | 2 +- .../config/config_encrypted_cookies_empty_env.ini | 2 +- .../config/config_encrypted_cookies_noname.ini | 2 +- src/tests/config/config_samesite_cookies.ini | 5 ++ src/tests/config/encrypt_cookies_no_env.ini | 2 +- src/tests/config/encrypt_cookies_no_key.ini | 2 +- src/tests/samesite_cookies.phpt | 61 ++++++++++++++++++++++ 24 files changed, 193 insertions(+), 53 deletions(-) create mode 100644 src/tests/broken_conf_no_cookie_action.phpt create mode 100644 src/tests/broken_conf_samesite.phpt create mode 100644 src/tests/config/broken_conf_cookie_action.ini create mode 100644 src/tests/config/broken_conf_cookie_samesite.ini create mode 100644 src/tests/config/config_samesite_cookies.ini create mode 100644 src/tests/samesite_cookies.phpt (limited to 'src') diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c index e453587..9467a5d 100644 --- a/src/snuffleupagus.c +++ b/src/snuffleupagus.c @@ -71,14 +71,13 @@ PHP_GINIT_FUNCTION(snuffleupagus) { SP_INIT(snuffleupagus_globals->config.config_upload_validation); SP_INIT(snuffleupagus_globals->config.config_disabled_functions); SP_INIT(snuffleupagus_globals->config.config_disabled_functions_ret); - SP_INIT(snuffleupagus_globals->config.config_cookie_encryption); + SP_INIT(snuffleupagus_globals->config.config_cookie); SP_INIT(snuffleupagus_globals->config.config_disabled_constructs); snuffleupagus_globals->config.config_disabled_constructs->construct_include = sp_list_new(); snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_list_new(); snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_list_new(); - - SP_INIT_HT(snuffleupagus_globals->config.config_cookie_encryption->names); + SP_INIT_HT(snuffleupagus_globals->config.config_cookie->cookies); #undef SP_INIT #undef SP_INIT_HT @@ -96,7 +95,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) { pefree(SNUFFLEUPAGUS_G(F), 1); FREE_HT(disabled_functions_hook); - FREE_HT(config.config_cookie_encryption->names); + FREE_HT(config.config_cookie->cookies); #undef FREE_HT @@ -108,7 +107,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) { pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1); pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1); pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1); - pefree(SNUFFLEUPAGUS_G(config.config_cookie_encryption), 1); #define FREE_LST(L) \ do { \ @@ -126,6 +124,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) { pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1); pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1); pefree(SNUFFLEUPAGUS_G(config.config_disabled_constructs), 1); + pefree(SNUFFLEUPAGUS_G(config.config_cookie), 1); UNREGISTER_INI_ENTRIES(); @@ -137,9 +136,9 @@ PHP_RINIT_FUNCTION(snuffleupagus) { ZEND_TSRMLS_CACHE_UPDATE(); #endif if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) { - if (NULL != SNUFFLEUPAGUS_G(config).config_cookie_encryption->names) { + if (NULL != SNUFFLEUPAGUS_G(config).config_cookie->cookies) { zend_hash_apply_with_arguments( - Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0); + Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0); } } return SUCCESS; @@ -190,8 +189,8 @@ static PHP_INI_MH(OnUpdateConfiguration) { if (SNUFFLEUPAGUS_G(config).config_unserialize->enable) { hook_serialize(); } - hook_cookies(); } + hook_cookies(); if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) { if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) { diff --git a/src/sp_config.c b/src/sp_config.c index 13002cc..2432cc4 100644 --- a/src/sp_config.c +++ b/src/sp_config.c @@ -15,7 +15,7 @@ sp_config_tokens const sp_func[] = { {.func = parse_readonly_exec, .token = SP_TOKEN_READONLY_EXEC}, {.func = parse_global_strict, .token = SP_TOKEN_GLOBAL_STRICT}, {.func = parse_upload_validation, .token = SP_TOKEN_UPLOAD_VALIDATION}, - {.func = parse_cookie_encryption, .token = SP_TOKEN_COOKIE_ENCRYPTION}, + {.func = parse_cookie, .token = SP_TOKEN_COOKIE_ENCRYPTION}, {.func = parse_global, .token = SP_TOKEN_GLOBAL}, {.func = parse_auto_cookie_secure, .token = SP_TOKEN_AUTO_COOKIE_SECURE}, {.func = parse_disable_xxe, .token = SP_TOKEN_DISABLE_XXE}, diff --git a/src/sp_config.h b/src/sp_config.h index e14e30b..12f12e8 100644 --- a/src/sp_config.h +++ b/src/sp_config.h @@ -55,7 +55,12 @@ typedef struct { bool enable; } sp_config_auto_cookie_secure; typedef struct { bool enable; } sp_config_disable_xxe; -typedef struct { HashTable *names; } sp_config_cookie_encryption; +enum samesite_type {strict=1, lax=2}; + +typedef struct { + enum samesite_type samesite; + bool encrypt; +} sp_cookie; typedef struct { bool enable; @@ -104,6 +109,10 @@ typedef struct { sp_node_t *disabled_functions; // list of sp_disabled_function } sp_config_disabled_functions; +typedef struct { + HashTable *cookies; // HashTable of sp_cookie +} sp_config_cookie; + typedef struct { sp_node_t *construct_include; // list of rules for `(include|require)_(once)?` sp_node_t *construct_echo; @@ -122,7 +131,7 @@ typedef struct { sp_config_disabled_functions *config_disabled_functions_ret; sp_config_readonly_exec *config_readonly_exec; sp_config_upload_validation *config_upload_validation; - sp_config_cookie_encryption *config_cookie_encryption; + sp_config_cookie *config_cookie; sp_config_global *config_snuffleupagus; sp_config_auto_cookie_secure *config_auto_cookie_secure; sp_config_global_strict *config_global_strict; @@ -144,7 +153,7 @@ typedef struct { #define SP_TOKEN_BASE "sp" #define SP_TOKEN_AUTO_COOKIE_SECURE ".auto_cookie_secure" -#define SP_TOKEN_COOKIE_ENCRYPTION ".cookie_encryption" +#define SP_TOKEN_COOKIE_ENCRYPTION ".cookie" #define SP_TOKEN_DISABLE_FUNC ".disable_function" #define SP_TOKEN_GLOBAL ".global" #define SP_TOKEN_GLOBAL_STRICT ".global_strict" @@ -187,7 +196,13 @@ typedef struct { #define SP_TOKEN_LINE_NUMBER ".line(" // cookies encryption -#define SP_TOKEN_NAME ".cookie(" +#define SP_TOKEN_NAME ".name(" + +// cookies samesite +#define SP_TOKEN_SAMESITE ".samesite(" +#define SP_TOKEN_ENCRYPT ".encrypt(" +#define SP_TOKEN_SAMESITE_LAX "Lax" +#define SP_TOKEN_SAMESITE_STRICT "Strict" // Global configuration options #define SP_TOKEN_ENCRYPTION_KEY ".secret_key(" diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index 34b855a..077d78f 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c @@ -105,12 +105,16 @@ int parse_global(char *line) { return parse_keywords(sp_config_funcs_global, line); } -int parse_cookie_encryption(char *line) { +int parse_cookie(char *line) { int ret = 0; - char *name = NULL; + char *samesite = NULL, *name = NULL; + sp_cookie *cookie = pecalloc(sizeof(sp_cookie), 1, 1); + zend_string *zend_name; sp_config_functions sp_config_funcs_cookie_encryption[] = { {parse_str, SP_TOKEN_NAME, &name}, + {parse_str, SP_TOKEN_SAMESITE, &samesite}, + {parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt}, {0}}; ret = parse_keywords(sp_config_funcs_cookie_encryption, line); @@ -118,25 +122,42 @@ int parse_cookie_encryption(char *line) { return ret; } - if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->cookies_env_var)) { - sp_log_err("config", "You're trying to use the cookie encryption feature" - "on line %zu without having set the `.cookie_env_var` option in" - "`sp.global`: please set it first.", sp_line_no); - return -1; - } else if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) { - sp_log_err("config", "You're trying to use the cookie encryption feature" - "on line %zu without having set the `.encryption_key` option in" - "`sp.global`: please set it first.", sp_line_no); + if (cookie->encrypt) { + if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->cookies_env_var)) { + sp_log_err("config", "You're trying to use the cookie encryption feature" + "on line %zu without having set the `.cookie_env_var` option in" + "`sp.global`: please set it first.", sp_line_no); + return -1; + } else if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) { + sp_log_err("config", "You're trying to use the cookie encryption feature" + "on line %zu without having set the `.encryption_key` option in" + "`sp.global`: please set it first.", sp_line_no); + return -1; + } + } else if (!samesite) { + sp_log_err("config", "You must specify a at least one action to a cookie on line " + "%zu.", sp_line_no); return -1; - } else if (0 == strlen(name)) { - sp_log_err("config", "You must specify a cookie name to encrypt on line " + } + if (0 == strlen(name)) { + sp_log_err("config", "You must specify a cookie name on line " "%zu.", sp_line_no); return -1; } + if (samesite) { + if (0 == strcasecmp(samesite, SP_TOKEN_SAMESITE_LAX)) { + cookie->samesite = lax; + } else if (0 == strcasecmp(samesite, SP_TOKEN_SAMESITE_STRICT)) { + cookie->samesite = strict; + } else { + sp_log_err("config", "%s is an invalid value to samesite (expected %s or %s) on line " + "%zu.", samesite, SP_TOKEN_SAMESITE_LAX, SP_TOKEN_SAMESITE_STRICT, sp_line_no); + return -1; + } + } - zend_hash_str_add_empty_element( - SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, name, - strlen(name)); + zend_name = zend_string_init(name, strlen(name), 1); + zend_hash_add_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, zend_name, cookie); return SUCCESS; } diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h index 40fac47..fdea1c5 100644 --- a/src/sp_config_keywords.h +++ b/src/sp_config_keywords.h @@ -7,10 +7,10 @@ int parse_disable_xxe(char *line); int parse_auto_cookie_secure(char *line); int parse_global_strict(char *line); int parse_global(char *line) ; -int parse_cookie_encryption(char *line); +int parse_cookie(char *line); int parse_unserialize(char *line) ; int parse_readonly_exec(char *line); int parse_disabled_functions(char *line) ; int parse_upload_validation(char *line); -#endif // __SP_CONFIG_KEYWORDS_H \ No newline at end of file +#endif // __SP_CONFIG_KEYWORDS_H diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c index 2ebcc96..eb20c52 100644 --- a/src/sp_cookie_encryption.c +++ b/src/sp_cookie_encryption.c @@ -45,12 +45,12 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args, size_t value_len; zend_string *debase64; unsigned char *decrypted; + sp_cookie *cookie = zend_hash_find_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, + hash_key->key); int ret = 0; /* If the cookie isn't in the conf, it shouldn't be encrypted. */ - if (0 == - zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, - hash_key->key)) { + if (!cookie || !cookie->encrypt) { return ZEND_HASH_APPLY_KEEP; } @@ -135,11 +135,13 @@ static zend_string *encrypt_data(char *data, unsigned long long data_len) { PHP_FUNCTION(sp_setcookie) { zval params[7] = { 0 }; - zend_string *name = NULL, *value = NULL, *path = NULL, *domain = NULL; + zend_string *name = NULL, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL; zend_long expires = 0; zend_bool secure = 0, httponly = 0; zval ret_val; + const sp_cookie *cookie_node = NULL; zval func_name; + char *cookie_samesite; // LCOV_EXCL_BR_START @@ -167,17 +169,18 @@ PHP_FUNCTION(sp_setcookie) { } } + cookie_node = + zend_hash_find_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, name); + /* If the cookie's value is encrypted, it won't be usable by * javascript anyway. */ - if (zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, - name) > 0) { + if (cookie_node && cookie_node->encrypt) { httponly = 1; } /* Shall we encrypt the cookie's value? */ - if (zend_hash_exists(SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, - name) > 0 && value) { + if (httponly && value) { zend_string *encrypted_data = encrypt_data(value->val, value->len); ZVAL_STR_COPY(¶ms[1], encrypted_data); zend_string_release(encrypted_data); @@ -188,9 +191,6 @@ PHP_FUNCTION(sp_setcookie) { ZVAL_STRING(&func_name, "setcookie"); ZVAL_STR_COPY(¶ms[0], name); ZVAL_LONG(¶ms[2], expires); - if (path) { - ZVAL_STR_COPY(¶ms[3], path); - } if (domain) { ZVAL_STR_COPY(¶ms[4], domain); } @@ -201,6 +201,23 @@ PHP_FUNCTION(sp_setcookie) { ZVAL_LONG(¶ms[6], httponly); } + /* param[3](path) is concatenated to path= and is not filtered, we can inject + the samesite parameter here */ + if (cookie_node && cookie_node->samesite) { + if (!path) { + path = zend_string_init("", 0, 0); + } + cookie_samesite = (cookie_node->samesite == lax) ? SAMESITE_COOKIE_FORMAT SP_TOKEN_SAMESITE_LAX + : SAMESITE_COOKIE_FORMAT SP_TOKEN_SAMESITE_STRICT; + /* Concatenating everything, as is in PHP internals */ + samesite = zend_string_extend(path, ZSTR_LEN(path) + strlen(cookie_samesite) + 1, 0); + memcpy(ZSTR_VAL(samesite) + ZSTR_LEN(path), cookie_samesite, strlen(cookie_samesite) + 1); + ZVAL_STR_COPY(¶ms[3], samesite); + zend_string_release(path); + } else if (path) { + ZVAL_STR_COPY(¶ms[3], path); + } + /* This is the _fun_ part: because PHP is utterly idiotic and nonsensical, the `call_user_function` macro will __discard__ (yes) its first argument (the hashtable), effectively calling functions from `CG(function_table)`. diff --git a/src/sp_cookie_encryption.h b/src/sp_cookie_encryption.h index 9904738..889a89c 100644 --- a/src/sp_cookie_encryption.h +++ b/src/sp_cookie_encryption.h @@ -11,6 +11,8 @@ #include "ext/hash/php_hash_sha.h" #include "ext/standard/base64.h" +#define SAMESITE_COOKIE_FORMAT "; samesite=" + int hook_cookies(); int decrypt_cookie(zval *pDest, int num_args, va_list args, zend_hash_key *hash_key); diff --git a/src/tests/broken_conf_no_cookie_action.phpt b/src/tests/broken_conf_no_cookie_action.phpt new file mode 100644 index 0000000..49be31e --- /dev/null +++ b/src/tests/broken_conf_no_cookie_action.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bad config, invalid action. +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/broken_conf_cookie_action.ini +--FILE-- +--EXPECT-- +[snuffleupagus][0.0.0.0][config][error] You must specify a at least one action to a cookie on line 1. diff --git a/src/tests/broken_conf_no_cookie_name.phpt b/src/tests/broken_conf_no_cookie_name.phpt index feaf6ca..4616f12 100644 --- a/src/tests/broken_conf_no_cookie_name.phpt +++ b/src/tests/broken_conf_no_cookie_name.phpt @@ -6,4 +6,4 @@ Borken configuration - encrypted cookie with no name sp.configuration_file={PWD}/config/config_encrypted_cookies_noname.ini --FILE-- --EXPECT-- -[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name to encrypt on line 2. +[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name on line 2. diff --git a/src/tests/broken_conf_samesite.phpt b/src/tests/broken_conf_samesite.phpt new file mode 100644 index 0000000..26e525c --- /dev/null +++ b/src/tests/broken_conf_samesite.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bad config, invalid samesite type. +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/broken_conf_cookie_samesite.ini +--FILE-- +--EXPECT-- +[snuffleupagus][0.0.0.0][config][error] nop is an invalid value to samesite (expected Lax or Strict) on line 1. diff --git a/src/tests/broken_conf_weird_keyword.phpt b/src/tests/broken_conf_weird_keyword.phpt index 17de7fe..464800a 100644 --- a/src/tests/broken_conf_weird_keyword.phpt +++ b/src/tests/broken_conf_weird_keyword.phpt @@ -6,4 +6,4 @@ Bad config, unknown keyword sp.configuration_file={PWD}/config/broken_conf_weird_keyword.ini --FILE-- --EXPECT-- -[snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. \ No newline at end of file +[snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. diff --git a/src/tests/config/broken_conf_cookie_action.ini b/src/tests/config/broken_conf_cookie_action.ini new file mode 100644 index 0000000..5f07c28 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_action.ini @@ -0,0 +1 @@ +sp.cookie.name("my_cookie_name"); diff --git a/src/tests/config/broken_conf_cookie_samesite.ini b/src/tests/config/broken_conf_cookie_samesite.ini new file mode 100644 index 0000000..acc4aa0 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_samesite.ini @@ -0,0 +1 @@ +sp.cookie.name("my_cookie_name").samesite("nop"); diff --git a/src/tests/config/broken_conf_line_empty_string.ini b/src/tests/config/broken_conf_line_empty_string.ini index c130384..dfa5520 100644 --- a/src/tests/config/broken_conf_line_empty_string.ini +++ b/src/tests/config/broken_conf_line_empty_string.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie( +sp.cookie.name( diff --git a/src/tests/config/broken_conf_line_no_closing.ini b/src/tests/config/broken_conf_line_no_closing.ini index 24dc3f0..6a8c922 100644 --- a/src/tests/config/broken_conf_line_no_closing.ini +++ b/src/tests/config/broken_conf_line_no_closing.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("123" +sp.cookie.name("123" diff --git a/src/tests/config/broken_conf_lots_of_quotes.ini b/src/tests/config/broken_conf_lots_of_quotes.ini index 310bce5..189a10d 100644 --- a/src/tests/config/broken_conf_lots_of_quotes.ini +++ b/src/tests/config/broken_conf_lots_of_quotes.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("this\"is a weird\"\"\"cookie\"name""); +sp.cookie.name("this\"is a weird\"\"\"cookie\"name""); diff --git a/src/tests/config/broken_conf_wrong_quotes.ini b/src/tests/config/broken_conf_wrong_quotes.ini index 1c13e96..ff41f93 100644 --- a/src/tests/config/broken_conf_wrong_quotes.ini +++ b/src/tests/config/broken_conf_wrong_quotes.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("\) +sp.cookie.name("\) diff --git a/src/tests/config/config_encrypted_cookies.ini b/src/tests/config/config_encrypted_cookies.ini index 977d27f..4b50440 100644 --- a/src/tests/config/config_encrypted_cookies.ini +++ b/src/tests/config/config_encrypted_cookies.ini @@ -1,3 +1,3 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/config_encrypted_cookies_empty_env.ini b/src/tests/config/config_encrypted_cookies_empty_env.ini index ac1f840..8c7c779 100644 --- a/src/tests/config/config_encrypted_cookies_empty_env.ini +++ b/src/tests/config/config_encrypted_cookies_empty_env.ini @@ -1,2 +1,2 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/config/config_encrypted_cookies_noname.ini b/src/tests/config/config_encrypted_cookies_noname.ini index 27773e3..048e404 100644 --- a/src/tests/config/config_encrypted_cookies_noname.ini +++ b/src/tests/config/config_encrypted_cookies_noname.ini @@ -1,3 +1,3 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie(""); +sp.cookie.name("").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/config_samesite_cookies.ini b/src/tests/config/config_samesite_cookies.ini new file mode 100644 index 0000000..9fb5f25 --- /dev/null +++ b/src/tests/config/config_samesite_cookies.ini @@ -0,0 +1,5 @@ +sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.cookie.name("super_cookie").samesite("Lax"); +sp.cookie.name("awful_cookie").samesite("strict").encrypt(); +sp.cookie.name("nice_cookie").samesite("STRICT"); +sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/encrypt_cookies_no_env.ini b/src/tests/config/encrypt_cookies_no_env.ini index 9e1c025..845bd02 100644 --- a/src/tests/config/encrypt_cookies_no_env.ini +++ b/src/tests/config/encrypt_cookies_no_env.ini @@ -1,2 +1,2 @@ sp.global.secret_key("abcdef"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/config/encrypt_cookies_no_key.ini b/src/tests/config/encrypt_cookies_no_key.ini index 1b5cf83..a585e12 100644 --- a/src/tests/config/encrypt_cookies_no_key.ini +++ b/src/tests/config/encrypt_cookies_no_key.ini @@ -1,2 +1,2 @@ sp.global.cookie_env_var("TEST"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt new file mode 100644 index 0000000..70fe10c --- /dev/null +++ b/src/tests/samesite_cookies.phpt @@ -0,0 +1,61 @@ +--TEST-- +Cookie samesite +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/config_samesite_cookies.ini +--COOKIE-- +super_cookie=if_there_is_no_cookie_here_there_is_no_header_list +--ENV-- +return << count($headers)) +{ + echo "Fewer headers are being sent than expected - aborting"; + return; +} + +do +{ + if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0) + { + continue; + } + + if (current($headers) === current($expected)) + { + $i--; + } + else + { + echo "Header mismatch:\n\tExpected: " + .current($expected) + ."\n\tReceived: ".current($headers)."\n"; + } + + next($expected); +} +while (next($headers) !== FALSE); + +echo ($i === 0) + ? 'OK' + : 'A total of '.$i.' errors found.'; +?> +--EXPECT-- +OK -- cgit v1.3