Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
fixed case sensitivity for SameSite directive
Browse files Browse the repository at this point in the history
  • Loading branch information
@wilcol @weierophinney
wilcol authored and weierophinney committed Dec 30, 2019
1 parent faacf47 commit 84d4615
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 12 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ All notable changes to this project will be documented in this file, in reverse

### Fixed

- Nothing.
- fixes case sensitivity for SameSite directive.

## 2.11.1 - 2019-12-04

Expand Down
24 changes: 13 additions & 11 deletions src/Header/SetCookie.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,15 +251,15 @@ public function __construct(
$this->type = 'Cookie';

$this->setName($name)
->setValue($value)
->setVersion($version)
->setMaxAge($maxAge)
->setDomain($domain)
->setExpires($expires)
->setPath($path)
->setSecure($secure)
->setHttpOnly($httponly)
->setSameSite($sameSite);
->setValue($value)
->setVersion($version)
->setMaxAge($maxAge)
->setDomain($domain)
->setExpires($expires)
->setPath($path)
->setSecure($secure)
->setHttpOnly($httponly)
->setSameSite($sameSite);
}

/**
Expand Down Expand Up @@ -337,7 +337,8 @@ public function getFieldValue()
}

$sameSite = $this->getSameSite();
if ($sameSite !== null && in_array($sameSite, self::SAME_SITE_ALLOWED_VALUES, true)) {
if ($sameSite !== null
&& in_array(strtolower($sameSite), array_map('strtolower', self::SAME_SITE_ALLOWED_VALUES), true)) {
$fieldValue .= '; SameSite=' . $sameSite;
}

Expand Down Expand Up @@ -618,7 +619,8 @@ public function getSameSite()
*/
public function setSameSite($sameSite)
{
if ($sameSite !== null && ! in_array($sameSite, self::SAME_SITE_ALLOWED_VALUES, true)) {
if ($sameSite !== null
&& ! in_array(strtolower($sameSite), array_map('strtolower', self::SAME_SITE_ALLOWED_VALUES), true)) {
throw new Exception\InvalidArgumentException(sprintf(
'Invalid value provided for SameSite directive: "%s"; expected one of: Strict, Lax or None',
is_scalar($sameSite) ? $sameSite : gettype($sameSite)
Expand Down
50 changes: 50 additions & 0 deletions test/Header/SetCookieTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,32 @@ public function testSetCookieConstructorWithSameSite()
$this->assertEquals('Strict', $setCookieHeader->getSameSite());
}

public function testSetCookieConstructorWithSameSiteCaseInsensitive()
{
$setCookieHeader = new SetCookie(
'myname',
'myvalue',
'Wed, 13-Jan-2021 22:23:01 GMT',
'/accounts',
'docs.foo.com',
true,
true,
99,
9,
strtolower(SetCookie::SAME_SITE_STRICT)
);
$this->assertEquals('myname', $setCookieHeader->getName());
$this->assertEquals('myvalue', $setCookieHeader->getValue());
$this->assertEquals('Wed, 13-Jan-2021 22:23:01 GMT', $setCookieHeader->getExpires());
$this->assertEquals('/accounts', $setCookieHeader->getPath());
$this->assertEquals('docs.foo.com', $setCookieHeader->getDomain());
$this->assertTrue($setCookieHeader->isSecure());
$this->assertTrue($setCookieHeader->isHttpOnly());
$this->assertEquals(99, $setCookieHeader->getMaxAge());
$this->assertEquals(9, $setCookieHeader->getVersion());
$this->assertEquals(strtolower(SetCookie::SAME_SITE_STRICT), $setCookieHeader->getSameSite());
}

public function testSetCookieWithInvalidSameSiteValueThrowException()
{
$this->expectException(InvalidArgumentException::class);
Expand Down Expand Up @@ -161,6 +187,30 @@ public function testSetCookieFromStringCanCreateSingleHeader()
$this->assertTrue($setCookieHeader->isSecure());
$this->assertTrue($setCookieHeader->isHttponly());
$this->assertEquals(setCookie::SAME_SITE_STRICT, $setCookieHeader->getSameSite());
$this->assertEquals(
'myname=myvalue; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Domain=docs.foo.com; '
. 'Path=/accounts; Secure; HttpOnly; SameSite=Strict',
$setCookieHeader->getFieldValue()
);

$setCookieHeader = SetCookie::fromString(
'set-cookie: myname=myvalue; Domain=docs.foo.com; Path=/accounts;'
. 'Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly; SameSite=strict'
);
$this->assertInstanceOf(MultipleHeaderInterface::class, $setCookieHeader);
$this->assertEquals('myname', $setCookieHeader->getName());
$this->assertEquals('myvalue', $setCookieHeader->getValue());
$this->assertEquals('docs.foo.com', $setCookieHeader->getDomain());
$this->assertEquals('/accounts', $setCookieHeader->getPath());
$this->assertEquals('Wed, 13-Jan-2021 22:23:01 GMT', $setCookieHeader->getExpires());
$this->assertTrue($setCookieHeader->isSecure());
$this->assertTrue($setCookieHeader->isHttponly());
$this->assertEquals(strtolower(setCookie::SAME_SITE_STRICT), $setCookieHeader->getSameSite());
$this->assertEquals(
'myname=myvalue; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Domain=docs.foo.com; '
. 'Path=/accounts; Secure; HttpOnly; SameSite=strict',
$setCookieHeader->getFieldValue()
);
}

public function testSetCookieFromStringCanCreateMultipleHeaders()
Expand Down

0 comments on commit 84d4615

Please sign in to comment.