From f70bd2eafc2fdac9fa528a3e649db0178c601b41 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Mon, 18 Dec 2017 16:27:00 +0100
Subject: Fix cookie encryption

Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.---
 src/sp_cookie_encryption.c                   | 2 +-
 src/tests/config/config_samesite_cookies.ini | 2 +-
 src/tests/samesite_cookies.phpt              | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c
index 08be9a6..5189c20 100644
--- a/src/sp_cookie_encryption.c
+++ b/src/sp_cookie_encryption.c
@@ -180,7 +180,7 @@ PHP_FUNCTION(sp_setcookie) {
   }
 
   /* Shall we encrypt the cookie's value? */
-  if (httponly && value) {
+  if (cookie_node && cookie_node->encrypt && value) {
     zend_string *encrypted_data = encrypt_data(value->val, value->len);
     ZVAL_STR_COPY(&params[1], encrypted_data);
     zend_string_release(encrypted_data);
diff --git a/src/tests/config/config_samesite_cookies.ini b/src/tests/config/config_samesite_cookies.ini
index 9fb5f25..1ca498a 100644
--- a/src/tests/config/config_samesite_cookies.ini
+++ b/src/tests/config/config_samesite_cookies.ini
@@ -1,5 +1,5 @@
 sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("super_cookie").samesite("Lax");
 sp.cookie.name("awful_cookie").samesite("strict").encrypt();
-sp.cookie.name("nice_cookie").samesite("STRICT");
+sp.cookie.name("nice_cookie").samesite("STRICT").encrypt();
 sp.auto_cookie_secure.enable();
diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt
index 70fe10c..12f3d72 100644
--- a/src/tests/samesite_cookies.phpt
+++ b/src/tests/samesite_cookies.phpt
@@ -16,11 +16,13 @@ EOF;
 <?php
 setcookie("super_cookie", "super_value");
 setcookie("awful_cookie", "awful_value");
+setcookie("not_encrypted", "test_value", 1, "1", "1", false, true);
 setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true);
 
 $expected = array(
     'Set-Cookie: super_cookie=super_value; path=; samesite=Lax',
     'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly',
+    'Set-Cookie: not_encrypted=test_value; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; domain=1; HttpOnly',
     'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly',
     );
 
-- 
cgit v1.3