search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Localisation updates for core and extension messages from translatewiki.net (2011...
[mediawiki.git] / includes / Cookie.php
blob10d95a7883a5a5fec6ff0a49002e04cec66ce7a8
1 <?php
2 /**
3 * @defgroup HTTP HTTP
4 */
5
6 class Cookie {
7 protected $name;
8 protected $value;
9 protected $expires;
10 protected $path;
11 protected $domain;
12 protected $isSessionKey = true;
13 // TO IMPLEMENT protected $secure
14 // TO IMPLEMENT? protected $maxAge (add onto expires)
15 // TO IMPLEMENT? protected $version
16 // TO IMPLEMENT? protected $comment
17
18 function __construct( $name, $value, $attr ) {
19 $this->name = $name;
20 $this->set( $value, $attr );
21 }
22
23 /**
24 * Sets a cookie. Used before a request to set up any individual
25 * cookies. Used internally after a request to parse the
26 * Set-Cookie headers.
27 *
28 * @param $value String: the value of the cookie
29 * @param $attr Array: possible key/values:
30 * expires A date string
31 * path The path this cookie is used on
32 * domain Domain this cookie is used on
33 */
34 public function set( $value, $attr ) {
35 $this->value = $value;
36
37 if ( isset( $attr['expires'] ) ) {
38 $this->isSessionKey = false;
39 $this->expires = strtotime( $attr['expires'] );
40 }
41
42 if ( isset( $attr['path'] ) ) {
43 $this->path = $attr['path'];
44 } else {
45 $this->path = '/';
46 }
47
48 if ( isset( $attr['domain'] ) ) {
49 if ( self::validateCookieDomain( $attr['domain'] ) ) {
50 $this->domain = $attr['domain'];
51 }
52 } else {
53 throw new MWException( 'You must specify a domain.' );
54 }
55 }
56
57 /**
58 * Return the true if the cookie is valid is valid. Otherwise,
59 * false. The uses a method similar to IE cookie security
60 * described here:
61 * http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html
62 * A better method might be to use a blacklist like
63 * http://publicsuffix.org/
64 *
65 * @param $domain String: the domain to validate
66 * @param $originDomain String: (optional) the domain the cookie originates from
67 * @return Boolean
68 */
69 public static function validateCookieDomain( $domain, $originDomain = null ) {
70 // Don't allow a trailing dot
71 if ( substr( $domain, -1 ) == '.' ) {
72 return false;
73 }
74
75 $dc = explode( ".", $domain );
76
77 // Only allow full, valid IP addresses
78 if ( preg_match( '/^[0-9.]+$/', $domain ) ) {
79 if ( count( $dc ) != 4 ) {
80 return false;
81 }
82
83 if ( ip2long( $domain ) === false ) {
84 return false;
85 }
86
87 if ( $originDomain == null || $originDomain == $domain ) {
88 return true;
89 }
90
91 }
92
93 // Don't allow cookies for "co.uk" or "gov.uk", etc, but allow "supermarket.uk"
94 if ( strrpos( $domain, "." ) - strlen( $domain ) == -3 ) {
95 if ( ( count( $dc ) == 2 && strlen( $dc[0] ) <= 2 )
96 || ( count( $dc ) == 3 && strlen( $dc[0] ) == "" && strlen( $dc[1] ) <= 2 ) ) {
97 return false;
98 }
99 if ( ( count( $dc ) == 2 || ( count( $dc ) == 3 && $dc[0] == '' ) )
100 && preg_match( '/(com|net|org|gov|edu)\...$/', $domain ) ) {
101 return false;
102 }
103 }
104
105 if ( $originDomain != null ) {
106 if ( substr( $domain, 0, 1 ) != '.' && $domain != $originDomain ) {
107 return false;
108 }
109
110 if ( substr( $domain, 0, 1 ) == '.'
111 && substr_compare( $originDomain, $domain, -strlen( $domain ),
112 strlen( $domain ), true ) != 0 ) {
113 return false;
114 }
115 }
116
117 return true;
118 }
119
120 /**
121 * Serialize the cookie jar into a format useful for HTTP Request headers.
122 *
123 * @param $path String: the path that will be used. Required.
124 * @param $domain String: the domain that will be used. Required.
125 * @return String
126 */
127 public function serializeToHttpRequest( $path, $domain ) {
128 $ret = '';
129
130 if ( $this->canServeDomain( $domain )
131 && $this->canServePath( $path )
132 && $this->isUnExpired() ) {
133 $ret = $this->name . '=' . $this->value;
134 }
135
136 return $ret;
137 }
138
139 protected function canServeDomain( $domain ) {
140 if ( $domain == $this->domain
141 || ( strlen( $domain ) > strlen( $this->domain )
142 && substr( $this->domain, 0, 1 ) == '.'
143 && substr_compare( $domain, $this->domain, -strlen( $this->domain ),
144 strlen( $this->domain ), true ) == 0 ) ) {
145 return true;
146 }
147
148 return false;
149 }
150
151 protected function canServePath( $path ) {
152 if ( $this->path && substr_compare( $this->path, $path, 0, strlen( $this->path ) ) == 0 ) {
153 return true;
154 }
155
156 return false;
157 }
158
159 protected function isUnExpired() {
160 if ( $this->isSessionKey || $this->expires > time() ) {
161 return true;
162 }
163
164 return false;
165 }
166 }
167
168 class CookieJar {
169 private $cookie = array();
170
171 /**
172 * Set a cookie in the cookie jar. Make sure only one cookie per-name exists.
173 * @see Cookie::set()
174 */
175 public function setCookie ( $name, $value, $attr ) {
176 /* cookies: case insensitive, so this should work.
177 * We'll still send the cookies back in the same case we got them, though.
178 */
179 $index = strtoupper( $name );
180
181 if ( isset( $this->cookie[$index] ) ) {
182 $this->cookie[$index]->set( $value, $attr );
183 } else {
184 $this->cookie[$index] = new Cookie( $name, $value, $attr );
185 }
186 }
187
188 /**
189 * @see Cookie::serializeToHttpRequest
190 */
191 public function serializeToHttpRequest( $path, $domain ) {
192 $cookies = array();
193
194 foreach ( $this->cookie as $c ) {
195 $serialized = $c->serializeToHttpRequest( $path, $domain );
196
197 if ( $serialized ) {
198 $cookies[] = $serialized;
199 }
200 }
201
202 return implode( '; ', $cookies );
203 }
204
205 /**
206 * Parse the content of an Set-Cookie HTTP Response header.
207 *
208 * @param $cookie String
209 * @param $domain String: cookie's domain
210 */
211 public function parseCookieResponseHeader ( $cookie, $domain ) {
212 $len = strlen( 'Set-Cookie:' );
213
214 if ( substr_compare( 'Set-Cookie:', $cookie, 0, $len, true ) === 0 ) {
215 $cookie = substr( $cookie, $len );
216 }
217
218 $bit = array_map( 'trim', explode( ';', $cookie ) );
219
220 if ( count( $bit ) >= 1 ) {
221 list( $name, $value ) = explode( '=', array_shift( $bit ), 2 );
222 $attr = array();
223
224 foreach ( $bit as $piece ) {
225 $parts = explode( '=', $piece );
226 if ( count( $parts ) > 1 ) {
227 $attr[strtolower( $parts[0] )] = $parts[1];
228 } else {
229 $attr[strtolower( $parts[0] )] = true;
230 }
231 }
232
233 if ( !isset( $attr['domain'] ) ) {
234 $attr['domain'] = $domain;
235 } elseif ( !Cookie::validateCookieDomain( $attr['domain'], $domain ) ) {
236 return null;
237 }
238
239 $this->setCookie( $name, $value, $attr );
240 }
241 }
242 }
MediaWiki Core