diff options
Diffstat (limited to 'includes/Cookie.php')
| -rw-r--r-- | includes/Cookie.php | 59 |
1 files changed, 40 insertions, 19 deletions
diff --git a/includes/Cookie.php b/includes/Cookie.php index ecf4667d..cb041904 100644 --- a/includes/Cookie.php +++ b/includes/Cookie.php @@ -43,8 +43,8 @@ class Cookie { * cookies. Used internally after a request to parse the * Set-Cookie headers. * - * @param string $value the value of the cookie - * @param array $attr possible key/values: + * @param string $value The value of the cookie + * @param array $attr Possible key/values: * expires A date string * path The path this cookie is used on * domain Domain this cookie is used on @@ -85,18 +85,21 @@ class Cookie { * @todo fixme fails to detect 2-letter top-level domains for single-domain use (probably * not a big problem in practice, but there are test cases) * - * @param string $domain the domain to validate + * @param string $domain The domain to validate * @param string $originDomain (optional) the domain the cookie originates from - * @return Boolean + * @return bool */ public static function validateCookieDomain( $domain, $originDomain = null ) { - // Don't allow a trailing dot - if ( substr( $domain, -1 ) == '.' ) { + $dc = explode( ".", $domain ); + + // Don't allow a trailing dot or addresses without a or just a leading dot + if ( substr( $domain, -1 ) == '.' || + count( $dc ) <= 1 || + count( $dc ) == 2 && $dc[0] === '' + ) { return false; } - $dc = explode( ".", $domain ); - // Only allow full, valid IP addresses if ( preg_match( '/^[0-9.]+$/', $domain ) ) { if ( count( $dc ) != 4 ) { @@ -131,8 +134,14 @@ class Cookie { } if ( substr( $domain, 0, 1 ) == '.' - && substr_compare( $originDomain, $domain, -strlen( $domain ), - strlen( $domain ), true ) != 0 ) { + && substr_compare( + $originDomain, + $domain, + -strlen( $domain ), + strlen( $domain ), + true + ) != 0 + ) { return false; } } @@ -143,9 +152,9 @@ class Cookie { /** * Serialize the cookie jar into a format useful for HTTP Request headers. * - * @param string $path the path that will be used. Required. - * @param string $domain the domain that will be used. Required. - * @return String + * @param string $path The path that will be used. Required. + * @param string $domain The domain that will be used. Required. + * @return string */ public function serializeToHttpRequest( $path, $domain ) { $ret = ''; @@ -160,15 +169,22 @@ class Cookie { } /** - * @param $domain + * @param string $domain * @return bool */ protected function canServeDomain( $domain ) { if ( $domain == $this->domain || ( strlen( $domain ) > strlen( $this->domain ) && substr( $this->domain, 0, 1 ) == '.' - && substr_compare( $domain, $this->domain, -strlen( $this->domain ), - strlen( $this->domain ), true ) == 0 ) ) { + && substr_compare( + $domain, + $this->domain, + -strlen( $this->domain ), + strlen( $this->domain ), + true + ) == 0 + ) + ) { return true; } @@ -176,7 +192,7 @@ class Cookie { } /** - * @param $path + * @param string $path * @return bool */ protected function canServePath( $path ) { @@ -197,6 +213,9 @@ class CookieJar { /** * Set a cookie in the cookie jar. Make sure only one cookie per-name exists. * @see Cookie::set() + * @param string $name + * @param string $value + * @param array $attr */ public function setCookie( $name, $value, $attr ) { /* cookies: case insensitive, so this should work. @@ -213,6 +232,8 @@ class CookieJar { /** * @see Cookie::serializeToHttpRequest + * @param string $path + * @param string $domain * @return string */ public function serializeToHttpRequest( $path, $domain ) { @@ -232,8 +253,8 @@ class CookieJar { /** * Parse the content of an Set-Cookie HTTP Response header. * - * @param $cookie String - * @param string $domain cookie's domain + * @param string $cookie + * @param string $domain Cookie's domain * @return null */ public function parseCookieResponseHeader( $cookie, $domain ) { |