[5.5] Port Cookie prefixing (#33891)

driesvints · web-flow · commit 2c759f287d16 · 2020-08-17T11:38:24.000-05:00
* Port Cookie prefixing * Apply fixes from StyleCI (#33890)
diff --git a/src/Illuminate/Cookie/CookieValuePrefix.php b/src/Illuminate/Cookie/CookieValuePrefix.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace Illuminate\Cookie;
+
+use Illuminate\Support\Str;
+
+class CookieValuePrefix
+{
+    /**
+     * Create a new cookie value prefix for the given cookie name.
+     *
+     * @param  string  $cookieName
+     * @param  string  $key
+     * @return string
+     */
+    public static function create($cookieName, $key)
+    {
+        return hash_hmac('sha1', $cookieName.'v2', $key).'|';
+    }
+
+    /**
+     * Remove the cookie value prefix.
+     *
+     * @param  string  $cookieValue
+     * @return string
+     */
+    public static function remove($cookieValue)
+    {
+        return substr($cookieValue, 41);
+    }
+
+    /**
+     * Verify the provided cookie's value.
+     *
+     * @param  string  $name
+     * @param  string  $value
+     * @param  string  $key
+     * @return string|null
+     */
+    public static function getVerifiedValue($name, $value, $key)
+    {
+        $verifiedValue = null;
+
+        if (Str::startsWith($value, static::create($name, $key))) {
+            $verifiedValue = static::remove($value);
+        }
+
+        return $verifiedValue;
+    }
+}
diff --git a/src/Illuminate/Cookie/Middleware/EncryptCookies.php b/src/Illuminate/Cookie/Middleware/EncryptCookies.php
@@ -3,6 +3,8 @@
 namespace Illuminate\Cookie\Middleware;
 
 use Closure;
+use Illuminate\Support\Facades\Session;
+use Illuminate\Cookie\CookieValuePrefix;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -74,13 +76,21 @@ public function handle($request, Closure $next)
      */
     protected function decrypt(Request $request)
     {
-        foreach ($request->cookies as $key => $c) {
+        foreach ($request->cookies as $key => $cookie) {
             if ($this->isDisabled($key)) {
                 continue;
             }
 
             try {
-                $request->cookies->set($key, $this->decryptCookie($key, $c));
+                $decryptedValue = $this->decryptCookie($key, $cookie);
+
+                $value = CookieValuePrefix::getVerifiedValue($key, $decryptedValue, $this->encrypter->getKey());
+
+                if (empty($value) && $key === config('session.cookie') && Session::isValidId($decryptedValue)) {
+                    $value = $decryptedValue;
+                }
+
+                $request->cookies->set($key, $value);
             } catch (DecryptException $e) {
                 $request->cookies->set($key, null);
             }
@@ -135,8 +145,14 @@ protected function encrypt(Response $response)
                 continue;
             }
 
+            $prefix = '';
+
+            if ($cookie->getName() !== 'XSRF-TOKEN') {
+                $prefix = CookieValuePrefix::create($cookie->getName(), $this->encrypter->getKey());
+            }
+
             $response->headers->setCookie($this->duplicate(
-                $cookie, $this->encrypter->encrypt($cookie->getValue(), static::serialized($cookie->getName()))
+                $cookie, $this->encrypter->encrypt($prefix.$cookie->getValue(), static::serialized($cookie->getName()))
             ));
         }
 
