Skip to content

Commit

Permalink
bug #931 Fix: Only attempt split_cookie extraction if all of the cook…
Browse files Browse the repository at this point in the history 
…ies are present (carlobeltrame)

This PR was merged into the 2.x branch.

Discussion
----------

Fix: Only attempt split_cookie extraction if all of the cookies are present

Fixes #930

As explained in #930, this isn't a breaking change, because setups with partial cookies couldn't have made sense for anyone before. Some examples:
* **2 cookies `jwt_hp` and `jwt_s`, first one missing**: Will result in `.eySignature`, which is not a valid JWT token (note the leading period)
* **2 cookies `jwt_hp` and `jwt_s`, second one missing**: Will result in `eyHeader.eyPayload.` which is not a valid JWT token (note the trailing period)
* **2 cookies `jwt_complete` and `optional_suffix`, second one missing**: Will result in `eyHeader.eyPayload.eySignature.` which is not a valid JWT token (note the trailing period)
* **3 cookies `jwt_h`, `jwt_p` and `jwt_s`, middle one missing**: Will result in `eyHeader..eySignature` which is not a valid JWT token (note the two consecutive periods)

So up until now, there is no way someone was successfully using the SplitCookieExtractor with only some of the cookies present.

Commits
-------

8231f42 Only attempt extraction if all of the cookies are present
  • Loading branch information
@chalasr
chalasr committed Oct 24, 2021
2 parents fa08500 + 8231f42 commit 7b79a11
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions Tests/TokenExtractor/SplitCookieTokenExtractorTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ public function testGetTokenRequest()
$request = new Request();
$this->assertFalse($extractor->extract($request));

$request = new Request();
$request->cookies->add(['jwt_s' => 'testsignature']);
$this->assertFalse($extractor->extract($request));

$request = new Request();
$request->cookies->add(['jwt_hp' => 'testheader.testpayload']);
$request->cookies->add(['jwt_s' => 'testsignature']);
Expand Down
2 changes: 1 addition & 1 deletion TokenExtractor/SplitCookieExtractor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public function extract(Request $request)
$jwtCookies[] = $request->cookies->get($cookie, false);
}

if (empty(array_filter($jwtCookies))) {
if (count($this->cookies) !== count(array_filter($jwtCookies))) {
return false;
}

Expand Down

0 comments on commit 7b79a11

Please sign in to comment.