Merge pull request #1322 from laravel/cookie-fixes

fix cookie handling for security release
laravel · Jul 27, 2020 · e5a91ce · e5a91ce
2 parents 38d9ee0 + 4977c82
commit e5a91ce
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 19 deletions.
diff --git a/composer.json b/composer.json
@@ -18,15 +18,15 @@
         "ext-json": "*",
         "firebase/php-jwt": "^5.0",
         "guzzlehttp/guzzle": "^6.0|^7.0",
-        "illuminate/auth": "^6.0|^7.0",
-        "illuminate/console": "^6.0|^7.0",
-        "illuminate/container": "^6.0|^7.0",
-        "illuminate/contracts": "^6.0|^7.0",
-        "illuminate/cookie": "^6.0|^7.0",
-        "illuminate/database": "^6.0|^7.0",
-        "illuminate/encryption": "^6.0|^7.0",
-        "illuminate/http": "^6.0|^7.0",
-        "illuminate/support": "^6.0|^7.0",
+        "illuminate/auth": "^6.18.30|^7.22.3",
+        "illuminate/console": "^6.18.30|^7.22.3",
+        "illuminate/container": "^6.18.30|^7.22.3",
+        "illuminate/contracts": "^6.18.30|^7.22.3",
+        "illuminate/cookie": "^6.18.30|^7.22.3",
+        "illuminate/database": "^6.18.30|^7.22.3",
+        "illuminate/encryption": "^6.18.30|^7.22.3",
+        "illuminate/http": "^6.18.30|^7.22.3",
+        "illuminate/support": "^6.18.30|^7.22.3",
         "laminas/laminas-diactoros": "^2.2",
         "league/oauth2-server": "^8.1",
         "nyholm/psr7": "^1.0",

diff --git a/src/Guards/TokenGuard.php b/src/Guards/TokenGuard.php
@@ -7,6 +7,7 @@
 use Illuminate\Container\Container;
 use Illuminate\Contracts\Debug\ExceptionHandler;
 use Illuminate\Contracts\Encryption\Encrypter;
+use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Cookie\Middleware\EncryptCookies;
 use Illuminate\Http\Request;
 use Laminas\Diactoros\ResponseFactory;
@@ -270,7 +271,7 @@ protected function getTokenViaCookie($request)
     protected function decodeJwtTokenCookie($request)
     {
         return (array) JWT::decode(
-            $this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies),
+            CookieValuePrefix::remove($this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies)),
             $this->encrypter->getKey(),
             ['HS256']
         );
@@ -301,7 +302,7 @@ protected function getTokenFromRequest($request)
         $token = $request->header('X-CSRF-TOKEN');
 
         if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
-            $token = $this->encrypter->decrypt($header, static::serialized());
+            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
         }
 
         return $token;

diff --git a/tests/Unit/AuthorizationControllerTest.php b/tests/Unit/AuthorizationControllerTest.php
@@ -55,7 +55,7 @@ public function test_authorization_view_is_presented()
 
         $client->shouldReceive('skipsAuthorization')->andReturn(false);
 
-        $response->shouldReceive('view')->once()->andReturnUsing(function ($view, $data) use ($authRequest, $client, $user) {
+        $response->shouldReceive('view')->once()->andReturnUsing(function ($view, $data) use ($client, $user) {
             $this->assertEquals('passport::authorize', $view);
             $this->assertEquals($client, $data['client']);
             $this->assertEquals($user, $data['user']);

diff --git a/tests/Unit/AuthorizedAccessTokenControllerTest.php b/tests/Unit/AuthorizedAccessTokenControllerTest.php
@@ -63,7 +63,7 @@ public function test_tokens_can_be_retrieved_for_users()
 
         $this->tokenRepository->shouldReceive('forUser')->andReturn($userTokens);
 
-        $request->setUserResolver(function () use ($token1, $token2) {
+        $request->setUserResolver(function () {
             $user = m::mock();
             $user->shouldReceive('getAuthIdentifier')->andReturn(1);
 

diff --git a/tests/Unit/PersonalAccessTokenControllerTest.php b/tests/Unit/PersonalAccessTokenControllerTest.php
@@ -36,7 +36,7 @@ public function test_tokens_can_be_retrieved_for_users()
         $tokenRepository = m::mock(TokenRepository::class);
         $tokenRepository->shouldReceive('forUser')->andReturn($userTokens);
 
-        $request->setUserResolver(function () use ($token1, $token2) {
+        $request->setUserResolver(function () {
             $user = m::mock();
             $user->shouldReceive('getAuthIdentifier')->andReturn(1);
 

diff --git a/tests/Unit/TokenGuardTest.php b/tests/Unit/TokenGuardTest.php
@@ -6,6 +6,7 @@
 use Firebase\JWT\JWT;
 use Illuminate\Container\Container;
 use Illuminate\Contracts\Debug\ExceptionHandler;
+use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Encryption\Encrypter;
 use Illuminate\Http\Request;
 use Laravel\Passport\ClientRepository;
@@ -127,7 +128,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
         $request = Request::create('/');
         $request->headers->set('X-CSRF-TOKEN', 'token');
         $request->cookies->set('laravel_token',
-            $encrypter->encrypt(JWT::encode([
+            $encrypter->encrypt(CookieValuePrefix::create('laravel_token', $encrypter->getKey()).JWT::encode([
                 'sub' => 1,
                 'aud' => 1,
                 'csrf' => 'token',
@@ -158,9 +159,9 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
 
         $request = Request::create('/');
-        $request->headers->set('X-XSRF-TOKEN', $encrypter->encrypt('token', false));
+        $request->headers->set('X-XSRF-TOKEN', $encrypter->encrypt(CookieValuePrefix::create('X-XSRF-TOKEN', $encrypter->getKey()).'token', false));
         $request->cookies->set('laravel_token',
-            $encrypter->encrypt(JWT::encode([
+            $encrypter->encrypt(CookieValuePrefix::create('laravel_token', $encrypter->getKey()).JWT::encode([
                 'sub' => 1,
                 'aud' => 1,
                 'csrf' => 'token',
@@ -298,7 +299,7 @@ public function test_csrf_check_can_be_disabled()
 
         $request = Request::create('/');
         $request->cookies->set('laravel_token',
-            $encrypter->encrypt(JWT::encode([
+            $encrypter->encrypt(CookieValuePrefix::create('laravel_token', $encrypter->getKey()).JWT::encode([
                 'sub' => 1,
                 'aud' => 1,
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
@@ -396,7 +397,7 @@ public function test_clients_may_be_retrieved_from_cookies()
         $request = Request::create('/');
         $request->headers->set('X-CSRF-TOKEN', 'token');
         $request->cookies->set('laravel_token',
-            $encrypter->encrypt(JWT::encode([
+            $encrypter->encrypt(CookieValuePrefix::create('laravel_token', $encrypter->getKey()).JWT::encode([
                 'sub' => 1,
                 'aud' => 1,
                 'csrf' => 'token',