Mercurial > hg > isophonics-drupal-site
comparison vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php @ 13:5fb285c0d0e3
Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've
been lucky to get away with this so far, as we don't support self-registration
which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5
was vulnerable to.
| author | Chris Cannam |
|---|---|
| date | Mon, 23 Apr 2018 09:33:26 +0100 |
| parents | 4c8ae668cc8c |
| children |
comparison
equal
deleted
inserted
replaced
| 12:7a779792577d | 13:5fb285c0d0e3 |
|---|---|
| 33 { | 33 { |
| 34 // Create the default return array | 34 // Create the default return array |
| 35 $data = self::$defaults; | 35 $data = self::$defaults; |
| 36 // Explode the cookie string using a series of semicolons | 36 // Explode the cookie string using a series of semicolons |
| 37 $pieces = array_filter(array_map('trim', explode(';', $cookie))); | 37 $pieces = array_filter(array_map('trim', explode(';', $cookie))); |
| 38 // The name of the cookie (first kvp) must include an equal sign. | 38 // The name of the cookie (first kvp) must exist and include an equal sign. |
| 39 if (empty($pieces) || !strpos($pieces[0], '=')) { | 39 if (empty($pieces[0]) || !strpos($pieces[0], '=')) { |
| 40 return new self($data); | 40 return new self($data); |
| 41 } | 41 } |
| 42 | 42 |
| 43 // Add the cookie pieces into the parsed data array | 43 // Add the cookie pieces into the parsed data array |
| 44 foreach ($pieces as $part) { | 44 foreach ($pieces as $part) { |
| 45 | |
| 46 $cookieParts = explode('=', $part, 2); | 45 $cookieParts = explode('=', $part, 2); |
| 47 $key = trim($cookieParts[0]); | 46 $key = trim($cookieParts[0]); |
| 48 $value = isset($cookieParts[1]) | 47 $value = isset($cookieParts[1]) |
| 49 ? trim($cookieParts[1], " \n\r\t\0\x0B") | 48 ? trim($cookieParts[1], " \n\r\t\0\x0B") |
| 50 : true; | 49 : true; |
| 347 // http://tools.ietf.org/html/rfc6265#section-5.1.3 | 346 // http://tools.ietf.org/html/rfc6265#section-5.1.3 |
| 348 if (filter_var($domain, FILTER_VALIDATE_IP)) { | 347 if (filter_var($domain, FILTER_VALIDATE_IP)) { |
| 349 return false; | 348 return false; |
| 350 } | 349 } |
| 351 | 350 |
| 352 return (bool) preg_match('/\.' . preg_quote($cookieDomain) . '$/', $domain); | 351 return (bool) preg_match('/\.' . preg_quote($cookieDomain, '/') . '$/', $domain); |
| 353 } | 352 } |
| 354 | 353 |
| 355 /** | 354 /** |
| 356 * Check if the cookie is expired | 355 * Check if the cookie is expired |
| 357 * | 356 * |
| 358 * @return bool | 357 * @return bool |
| 359 */ | 358 */ |
| 360 public function isExpired() | 359 public function isExpired() |
| 361 { | 360 { |
| 362 return $this->getExpires() && time() > $this->getExpires(); | 361 return $this->getExpires() !== null && time() > $this->getExpires(); |
| 363 } | 362 } |
| 364 | 363 |
| 365 /** | 364 /** |
| 366 * Check if the cookie is valid according to RFC 6265 | 365 * Check if the cookie is valid according to RFC 6265 |
| 367 * | 366 * |
| 376 } | 375 } |
| 377 | 376 |
| 378 // Check if any of the invalid characters are present in the cookie name | 377 // Check if any of the invalid characters are present in the cookie name |
| 379 if (preg_match( | 378 if (preg_match( |
| 380 '/[\x00-\x20\x22\x28-\x29\x2c\x2f\x3a-\x40\x5c\x7b\x7d\x7f]/', | 379 '/[\x00-\x20\x22\x28-\x29\x2c\x2f\x3a-\x40\x5c\x7b\x7d\x7f]/', |
| 381 $name) | 380 $name |
| 382 ) { | 381 )) { |
| 383 return 'Cookie name must not contain invalid characters: ASCII ' | 382 return 'Cookie name must not contain invalid characters: ASCII ' |
| 384 . 'Control characters (0-31;127), space, tab and the ' | 383 . 'Control characters (0-31;127), space, tab and the ' |
| 385 . 'following characters: ()<>@,;:\"/?={}'; | 384 . 'following characters: ()<>@,;:\"/?={}'; |
| 386 } | 385 } |
| 387 | 386 |