search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge "(bug 18062) new message when edit or create the local page of a shared file"
[mediawiki.git] / includes / Cookie.php
blobb76212ecbf34622d953b6a5f4f32ab99952db172
1 <?php
2 /**
3 * @defgroup HTTP HTTP
4 */
5
6 class Cookie {
7 protected $name;
8 protected $value;
9 protected $expires;
10 protected $path;
11 protected $domain;
12 protected $isSessionKey = true;
13 // TO IMPLEMENT protected $secure
14 // TO IMPLEMENT? protected $maxAge (add onto expires)
15 // TO IMPLEMENT? protected $version
16 // TO IMPLEMENT? protected $comment
17
18 function __construct( $name, $value, $attr ) {
19 $this->name = $name;
20 $this->set( $value, $attr );
21 }
22
23 /**
24 * Sets a cookie. Used before a request to set up any individual
25 * cookies. Used internally after a request to parse the
26 * Set-Cookie headers.
27 *
28 * @param $value String: the value of the cookie
29 * @param $attr Array: possible key/values:
30 * expires A date string
31 * path The path this cookie is used on
32 * domain Domain this cookie is used on
33 */
34 public function set( $value, $attr ) {
35 $this->value = $value;
36
37 if ( isset( $attr['expires'] ) ) {
38 $this->isSessionKey = false;
39 $this->expires = strtotime( $attr['expires'] );
40 }
41
42 if ( isset( $attr['path'] ) ) {
43 $this->path = $attr['path'];
44 } else {
45 $this->path = '/';
46 }
47
48 if ( isset( $attr['domain'] ) ) {
49 if ( self::validateCookieDomain( $attr['domain'] ) ) {
50 $this->domain = $attr['domain'];
51 }
52 } else {
53 throw new MWException( 'You must specify a domain.' );
54 }
55 }
56
57 /**
58 * Return the true if the cookie is valid is valid. Otherwise,
59 * false. The uses a method similar to IE cookie security
60 * described here:
61 * http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html
62 * A better method might be to use a blacklist like
63 * http://publicsuffix.org/
64 *
65 * @fixme fails to detect 3-letter top-level domains
66 * @fixme fails to detect 2-letter top-level domains for single-domain use (probably not a big problem in practice, but there are test cases)
67 *
68 * @param $domain String: the domain to validate
69 * @param $originDomain String: (optional) the domain the cookie originates from
70 * @return Boolean
71 */
72 public static function validateCookieDomain( $domain, $originDomain = null ) {
73 // Don't allow a trailing dot
74 if ( substr( $domain, -1 ) == '.' ) {
75 return false;
76 }
77
78 $dc = explode( ".", $domain );
79
80 // Only allow full, valid IP addresses
81 if ( preg_match( '/^[0-9.]+$/', $domain ) ) {
82 if ( count( $dc ) != 4 ) {
83 return false;
84 }
85
86 if ( ip2long( $domain ) === false ) {
87 return false;
88 }
89
90 if ( $originDomain == null || $originDomain == $domain ) {
91 return true;
92 }
93
94 }
95
96 // Don't allow cookies for "co.uk" or "gov.uk", etc, but allow "supermarket.uk"
97 if ( strrpos( $domain, "." ) - strlen( $domain ) == -3 ) {
98 if ( ( count( $dc ) == 2 && strlen( $dc[0] ) <= 2 )
99 || ( count( $dc ) == 3 && strlen( $dc[0] ) == "" && strlen( $dc[1] ) <= 2 ) ) {
100 return false;
101 }
102 if ( ( count( $dc ) == 2 || ( count( $dc ) == 3 && $dc[0] == '' ) )
103 && preg_match( '/(com|net|org|gov|edu)\...$/', $domain ) ) {
104 return false;
105 }
106 }
107
108 if ( $originDomain != null ) {
109 if ( substr( $domain, 0, 1 ) != '.' && $domain != $originDomain ) {
110 return false;
111 }
112
113 if ( substr( $domain, 0, 1 ) == '.'
114 && substr_compare( $originDomain, $domain, -strlen( $domain ),
115 strlen( $domain ), true ) != 0 ) {
116 return false;
117 }
118 }
119
120 return true;
121 }
122
123 /**
124 * Serialize the cookie jar into a format useful for HTTP Request headers.
125 *
126 * @param $path String: the path that will be used. Required.
127 * @param $domain String: the domain that will be used. Required.
128 * @return String
129 */
130 public function serializeToHttpRequest( $path, $domain ) {
131 $ret = '';
132
133 if ( $this->canServeDomain( $domain )
134 && $this->canServePath( $path )
135 && $this->isUnExpired() ) {
136 $ret = $this->name . '=' . $this->value;
137 }
138
139 return $ret;
140 }
141
142 /**
143 * @param $domain
144 * @return bool
145 */
146 protected function canServeDomain( $domain ) {
147 if ( $domain == $this->domain
148 || ( strlen( $domain ) > strlen( $this->domain )
149 && substr( $this->domain, 0, 1 ) == '.'
150 && substr_compare( $domain, $this->domain, -strlen( $this->domain ),
151 strlen( $this->domain ), true ) == 0 ) ) {
152 return true;
153 }
154
155 return false;
156 }
157
158 /**
159 * @param $path
160 * @return bool
161 */
162 protected function canServePath( $path ) {
163 return ( $this->path && substr_compare( $this->path, $path, 0, strlen( $this->path ) ) == 0 );
164 }
165
166 /**
167 * @return bool
168 */
169 protected function isUnExpired() {
170 return $this->isSessionKey || $this->expires > time();
171 }
172 }
173
174 class CookieJar {
175 private $cookie = array();
176
177 /**
178 * Set a cookie in the cookie jar. Make sure only one cookie per-name exists.
179 * @see Cookie::set()
180 */
181 public function setCookie ( $name, $value, $attr ) {
182 /* cookies: case insensitive, so this should work.
183 * We'll still send the cookies back in the same case we got them, though.
184 */
185 $index = strtoupper( $name );
186
187 if ( isset( $this->cookie[$index] ) ) {
188 $this->cookie[$index]->set( $value, $attr );
189 } else {
190 $this->cookie[$index] = new Cookie( $name, $value, $attr );
191 }
192 }
193
194 /**
195 * @see Cookie::serializeToHttpRequest
196 * @return string
197 */
198 public function serializeToHttpRequest( $path, $domain ) {
199 $cookies = array();
200
201 foreach ( $this->cookie as $c ) {
202 $serialized = $c->serializeToHttpRequest( $path, $domain );
203
204 if ( $serialized ) {
205 $cookies[] = $serialized;
206 }
207 }
208
209 return implode( '; ', $cookies );
210 }
211
212 /**
213 * Parse the content of an Set-Cookie HTTP Response header.
214 *
215 * @param $cookie String
216 * @param $domain String: cookie's domain
217 * @return null
218 */
219 public function parseCookieResponseHeader ( $cookie, $domain ) {
220 $len = strlen( 'Set-Cookie:' );
221
222 if ( substr_compare( 'Set-Cookie:', $cookie, 0, $len, true ) === 0 ) {
223 $cookie = substr( $cookie, $len );
224 }
225
226 $bit = array_map( 'trim', explode( ';', $cookie ) );
227
228 if ( count( $bit ) >= 1 ) {
229 list( $name, $value ) = explode( '=', array_shift( $bit ), 2 );
230 $attr = array();
231
232 foreach ( $bit as $piece ) {
233 $parts = explode( '=', $piece );
234 if ( count( $parts ) > 1 ) {
235 $attr[strtolower( $parts[0] )] = $parts[1];
236 } else {
237 $attr[strtolower( $parts[0] )] = true;
238 }
239 }
240
241 if ( !isset( $attr['domain'] ) ) {
242 $attr['domain'] = $domain;
243 } elseif ( !Cookie::validateCookieDomain( $attr['domain'], $domain ) ) {
244 return null;
245 }
246
247 $this->setCookie( $name, $value, $attr );
248 }
249 }
250 }
MediaWiki Core