Skip to content

Commit

Permalink
Merge branch '4.4' into 5.4
Browse files Browse the repository at this point in the history
* 4.4:
  [Security/Http] Remove CSRF tokens from storage on successful login
  [HttpKernel] Remove private headers before storing responses with HttpCache
  • Loading branch information
nicolas-grekas committed Jan 30, 2023
2 parents 441e106 + f7822a7 commit c37b7dd
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 1 deletion.
17 changes: 16 additions & 1 deletion HttpCache/Store.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,28 @@ class Store implements StoreInterface
private $keyCache;
/** @var array<string, resource> */
private $locks = [];
private $options;

/**
* Constructor.
*
* The available options are:
*
* * private_headers Set of response headers that should not be stored
* when a response is cached. (default: Set-Cookie)
*
* @throws \RuntimeException
*/
public function __construct(string $root)
public function __construct(string $root, array $options = [])
{
$this->root = $root;
if (!is_dir($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) {
throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root));
}
$this->keyCache = new \SplObjectStorage();
$this->options = array_merge([
'private_headers' => ['Set-Cookie'],
], $options);
}

/**
Expand Down Expand Up @@ -216,6 +227,10 @@ public function write(Request $request, Response $response)
$headers = $this->persistResponse($response);
unset($headers['age']);

foreach ($this->options['private_headers'] as $h) {
unset($headers[strtolower($h)]);
}

array_unshift($entries, [$storedEnv, $headers]);

if (!$this->save($key, serialize($entries))) {
Expand Down
13 changes: 13 additions & 0 deletions Tests/HttpCache/StoreTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@
namespace Symfony\Component\HttpKernel\Tests\HttpCache;

use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\HttpCache\HttpCache;
use Symfony\Component\HttpKernel\HttpCache\Store;

class StoreTest extends TestCase
Expand Down Expand Up @@ -317,6 +319,17 @@ public function testPurgeHttpAndHttps()
$this->assertEmpty($this->getStoreMetadata($requestHttps));
}

public function testDoesNotStorePrivateHeaders()
{
$request = Request::create('https://example.com/foo');
$response = new Response('foo');
$response->headers->setCookie(Cookie::fromString('foo=bar'));

$this->store->write($request, $response);
$this->assertArrayNotHasKey('set-cookie', $this->getStoreMetadata($request)[0][1]);
$this->assertNotEmpty($response->headers->getCookies());
}

protected function storeSimpleEntry($path = null, $headers = [])
{
if (null === $path) {
Expand Down

0 comments on commit c37b7dd

Please sign in to comment.