1<?php
2/**
3 * Cookie storage object
4 *
5 * @package Requests\Cookies
6 */
7
8namespace WpOrg\Requests;
9
10use WpOrg\Requests\Exception\InvalidArgument;
11use WpOrg\Requests\Iri;
12use WpOrg\Requests\Response\Headers;
13use WpOrg\Requests\Utility\CaseInsensitiveDictionary;
14use WpOrg\Requests\Utility\InputValidator;
15
16/**
17 * Cookie storage object
18 *
19 * @package Requests\Cookies
20 */
21class Cookie {
22 /**
23 * Cookie name.
24 *
25 * @var string
26 */
27 public $name;
28
29 /**
30 * Cookie value.
31 *
32 * @var string
33 */
34 public $value;
35
36 /**
37 * Cookie attributes
38 *
39 * Valid keys are `'path'`, `'domain'`, `'expires'`, `'max-age'`, `'secure'` and
40 * `'httponly'`.
41 *
42 * @var \WpOrg\Requests\Utility\CaseInsensitiveDictionary|array Array-like object
43 */
44 public $attributes = [];
45
46 /**
47 * Cookie flags
48 *
49 * Valid keys are `'creation'`, `'last-access'`, `'persistent'` and `'host-only'`.
50 *
51 * @var array
52 */
53 public $flags = [];
54
55 /**
56 * Reference time for relative calculations
57 *
58 * This is used in place of `time()` when calculating Max-Age expiration and
59 * checking time validity.
60 *
61 * @var int
62 */
63 public $reference_time = 0;
64
65 /**
66 * Create a new cookie object
67 *
68 * @param string $name The name of the cookie.
69 * @param string $value The value for the cookie.
70 * @param array|\WpOrg\Requests\Utility\CaseInsensitiveDictionary $attributes Associative array of attribute data
71 * @param array $flags The flags for the cookie.
72 * Valid keys are `'creation'`, `'last-access'`,
73 * `'persistent'` and `'host-only'`.
74 * @param int|null $reference_time Reference time for relative calculations.
75 *
76 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $name argument is not a string.
77 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $value argument is not a string.
78 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $attributes argument is not an array or iterable object with array access.
79 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $flags argument is not an array.
80 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $reference_time argument is not an integer or null.
81 */
82 public function __construct($name, $value, $attributes = [], $flags = [], $reference_time = null) {
83 if (is_string($name) === false) {
84 throw InvalidArgument::create(1, '$name', 'string', gettype($name));
85 }
86
87 if (is_string($value) === false) {
88 throw InvalidArgument::create(2, '$value', 'string', gettype($value));
89 }
90
91 if (InputValidator::has_array_access($attributes) === false || InputValidator::is_iterable($attributes) === false) {
92 throw InvalidArgument::create(3, '$attributes', 'array|ArrayAccess&Traversable', gettype($attributes));
93 }
94
95 if (is_array($flags) === false) {
96 throw InvalidArgument::create(4, '$flags', 'array', gettype($flags));
97 }
98
99 if ($reference_time !== null && is_int($reference_time) === false) {
100 throw InvalidArgument::create(5, '$reference_time', 'integer|null', gettype($reference_time));
101 }
102
103 $this->name = $name;
104 $this->value = $value;
105 $this->attributes = $attributes;
106 $default_flags = [
107 'creation' => time(),
108 'last-access' => time(),
109 'persistent' => false,
110 'host-only' => true,
111 ];
112 $this->flags = array_merge($default_flags, $flags);
113
114 $this->reference_time = time();
115 if ($reference_time !== null) {
116 $this->reference_time = $reference_time;
117 }
118
119 $this->normalize();
120 }
121
122 /**
123 * Get the cookie value
124 *
125 * Attributes and other data can be accessed via methods.
126 */
127 public function __toString() {
128 return $this->value;
129 }
130
131 /**
132 * Check if a cookie is expired.
133 *
134 * Checks the age against $this->reference_time to determine if the cookie
135 * is expired.
136 *
137 * @return boolean True if expired, false if time is valid.
138 */
139 public function is_expired() {
140 // RFC6265, s. 4.1.2.2:
141 // If a cookie has both the Max-Age and the Expires attribute, the Max-
142 // Age attribute has precedence and controls the expiration date of the
143 // cookie.
144 if (isset($this->attributes['max-age'])) {
145 $max_age = $this->attributes['max-age'];
146 return $max_age < $this->reference_time;
147 }
148
149 if (isset($this->attributes['expires'])) {
150 $expires = $this->attributes['expires'];
151 return $expires < $this->reference_time;
152 }
153
154 return false;
155 }
156
157 /**
158 * Check if a cookie is valid for a given URI
159 *
160 * @param \WpOrg\Requests\Iri $uri URI to check
161 * @return boolean Whether the cookie is valid for the given URI
162 */
163 public function uri_matches(Iri $uri) {
164 if (!$this->domain_matches($uri->host)) {
165 return false;
166 }
167
168 if (!$this->path_matches($uri->path)) {
169 return false;
170 }
171
172 return empty($this->attributes['secure']) || $uri->scheme === 'https';
173 }
174
175 /**
176 * Check if a cookie is valid for a given domain
177 *
178 * @param string $domain Domain to check
179 * @return boolean Whether the cookie is valid for the given domain
180 */
181 public function domain_matches($domain) {
182 if (is_string($domain) === false) {
183 return false;
184 }
185
186 if (!isset($this->attributes['domain'])) {
187 // Cookies created manually; cookies created by Requests will set
188 // the domain to the requested domain
189 return true;
190 }
191
192 $cookie_domain = $this->attributes['domain'];
193 if ($cookie_domain === $domain) {
194 // The cookie domain and the passed domain are identical.
195 return true;
196 }
197
198 // If the cookie is marked as host-only and we don't have an exact
199 // match, reject the cookie
200 if ($this->flags['host-only'] === true) {
201 return false;
202 }
203
204 if (strlen($domain) <= strlen($cookie_domain)) {
205 // For obvious reasons, the cookie domain cannot be a suffix if the passed domain
206 // is shorter than the cookie domain
207 return false;
208 }
209
210 if (substr($domain, -1 * strlen($cookie_domain)) !== $cookie_domain) {
211 // The cookie domain should be a suffix of the passed domain.
212 return false;
213 }
214
215 $prefix = substr($domain, 0, strlen($domain) - strlen($cookie_domain));
216 if (substr($prefix, -1) !== '.') {
217 // The last character of the passed domain that is not included in the
218 // domain string should be a %x2E (".") character.
219 return false;
220 }
221
222 // The passed domain should be a host name (i.e., not an IP address).
223 return !preg_match('#^(.+\.)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $domain);
224 }
225
226 /**
227 * Check if a cookie is valid for a given path
228 *
229 * From the path-match check in RFC 6265 section 5.1.4
230 *
231 * @param string $request_path Path to check
232 * @return boolean Whether the cookie is valid for the given path
233 */
234 public function path_matches($request_path) {
235 if (empty($request_path)) {
236 // Normalize empty path to root
237 $request_path = '/';
238 }
239
240 if (!isset($this->attributes['path'])) {
241 // Cookies created manually; cookies created by Requests will set
242 // the path to the requested path
243 return true;
244 }
245
246 if (is_scalar($request_path) === false) {
247 return false;
248 }
249
250 $cookie_path = $this->attributes['path'];
251
252 if ($cookie_path === $request_path) {
253 // The cookie-path and the request-path are identical.
254 return true;
255 }
256
257 if (strlen($request_path) > strlen($cookie_path) && substr($request_path, 0, strlen($cookie_path)) === $cookie_path) {
258 if (substr($cookie_path, -1) === '/') {
259 // The cookie-path is a prefix of the request-path, and the last
260 // character of the cookie-path is %x2F ("/").
261 return true;
262 }
263
264 if (substr($request_path, strlen($cookie_path), 1) === '/') {
265 // The cookie-path is a prefix of the request-path, and the
266 // first character of the request-path that is not included in
267 // the cookie-path is a %x2F ("/") character.
268 return true;
269 }
270 }
271
272 return false;
273 }
274
275 /**
276 * Normalize cookie and attributes
277 *
278 * @return boolean Whether the cookie was successfully normalized
279 */
280 public function normalize() {
281 foreach ($this->attributes as $key => $value) {
282 $orig_value = $value;
283
284 if (is_string($key)) {
285 $value = $this->normalize_attribute($key, $value);
286 }
287
288 if ($value === null) {
289 unset($this->attributes[$key]);
290 continue;
291 }
292
293 if ($value !== $orig_value) {
294 $this->attributes[$key] = $value;
295 }
296 }
297
298 return true;
299 }
300
301 /**
302 * Parse an individual cookie attribute
303 *
304 * Handles parsing individual attributes from the cookie values.
305 *
306 * @param string $name Attribute name
307 * @param string|int|bool $value Attribute value (string/integer value, or true if empty/flag)
308 * @return mixed Value if available, or null if the attribute value is invalid (and should be skipped)
309 */
310 protected function normalize_attribute($name, $value) {
311 switch (strtolower($name)) {
312 case 'expires':
313 // Expiration parsing, as per RFC 6265 section 5.2.1
314 if (is_int($value)) {
315 return $value;
316 }
317
318 $expiry_time = strtotime($value);
319 if ($expiry_time === false) {
320 return null;
321 }
322
323 return $expiry_time;
324
325 case 'max-age':
326 // Expiration parsing, as per RFC 6265 section 5.2.2
327 if (is_int($value)) {
328 return $value;
329 }
330
331 // Check that we have a valid age
332 if (!preg_match('/^-?\d+$/', $value)) {
333 return null;
334 }
335
336 $delta_seconds = (int) $value;
337 if ($delta_seconds <= 0) {
338 $expiry_time = 0;
339 } else {
340 $expiry_time = $this->reference_time + $delta_seconds;
341 }
342
343 return $expiry_time;
344
345 case 'domain':
346 // Domains are not required as per RFC 6265 section 5.2.3
347 if (empty($value)) {
348 return null;
349 }
350
351 // Domain normalization, as per RFC 6265 section 5.2.3
352 if ($value[0] === '.') {
353 $value = substr($value, 1);
354 }
355
356 return $value;
357
358 default:
359 return $value;
360 }
361 }
362
363 /**
364 * Format a cookie for a Cookie header
365 *
366 * This is used when sending cookies to a server.
367 *
368 * @return string Cookie formatted for Cookie header
369 */
370 public function format_for_header() {
371 return sprintf('%s=%s', $this->name, $this->value);
372 }
373
374 /**
375 * Format a cookie for a Set-Cookie header
376 *
377 * This is used when sending cookies to clients. This isn't really
378 * applicable to client-side usage, but might be handy for debugging.
379 *
380 * @return string Cookie formatted for Set-Cookie header
381 */
382 public function format_for_set_cookie() {
383 $header_value = $this->format_for_header();
384 if (!empty($this->attributes)) {
385 $parts = [];
386 foreach ($this->attributes as $key => $value) {
387 // Ignore non-associative attributes
388 if (is_numeric($key)) {
389 $parts[] = $value;
390 } else {
391 $parts[] = sprintf('%s=%s', $key, $value);
392 }
393 }
394
395 $header_value .= '; ' . implode('; ', $parts);
396 }
397
398 return $header_value;
399 }
400
401 /**
402 * Parse a cookie string into a cookie object
403 *
404 * Based on Mozilla's parsing code in Firefox and related projects, which
405 * is an intentional deviation from RFC 2109 and RFC 2616. RFC 6265
406 * specifies some of this handling, but not in a thorough manner.
407 *
408 * @param string $cookie_header Cookie header value (from a Set-Cookie header)
409 * @param string $name
410 * @param int|null $reference_time
411 * @return \WpOrg\Requests\Cookie Parsed cookie object
412 *
413 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $cookie_header argument is not a string.
414 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $name argument is not a string.
415 */
416 public static function parse($cookie_header, $name = '', $reference_time = null) {
417 if (is_string($cookie_header) === false) {
418 throw InvalidArgument::create(1, '$cookie_header', 'string', gettype($cookie_header));
419 }
420
421 if (is_string($name) === false) {
422 throw InvalidArgument::create(2, '$name', 'string', gettype($name));
423 }
424
425 $parts = explode(';', $cookie_header);
426 $kvparts = array_shift($parts);
427
428 if (!empty($name)) {
429 $value = $cookie_header;
430 } elseif (strpos($kvparts, '=') === false) {
431 // Some sites might only have a value without the equals separator.
432 // Deviate from RFC 6265 and pretend it was actually a blank name
433 // (`=foo`)
434 //
435 // https://bugzilla.mozilla.org/show_bug.cgi?id=169091
436 $name = '';
437 $value = $kvparts;
438 } else {
439 list($name, $value) = explode('=', $kvparts, 2);
440 }
441
442 $name = trim($name);
443 $value = trim($value);
444
445 // Attribute keys are handled case-insensitively
446 $attributes = new CaseInsensitiveDictionary();
447
448 if (!empty($parts)) {
449 foreach ($parts as $part) {
450 if (strpos($part, '=') === false) {
451 $part_key = $part;
452 $part_value = true;
453 } else {
454 list($part_key, $part_value) = explode('=', $part, 2);
455 $part_value = trim($part_value);
456 }
457
458 $part_key = trim($part_key);
459 $attributes[$part_key] = $part_value;
460 }
461 }
462
463 return new static($name, $value, $attributes, [], $reference_time);
464 }
465
466 /**
467 * Parse all Set-Cookie headers from request headers
468 *
469 * @param \WpOrg\Requests\Response\Headers $headers Headers to parse from
470 * @param \WpOrg\Requests\Iri|null $origin URI for comparing cookie origins
471 * @param int|null $time Reference time for expiration calculation
472 * @return array
473 *
474 * @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $origin argument is not null or an instance of the Iri class.
475 */
476 public static function parse_from_headers(Headers $headers, $origin = null, $time = null) {
477 $cookie_headers = $headers->getValues('Set-Cookie');
478 if (empty($cookie_headers)) {
479 return [];
480 }
481
482 if ($origin !== null && !($origin instanceof Iri)) {
483 throw InvalidArgument::create(2, '$origin', Iri::class . ' or null', gettype($origin));
484 }
485
486 $cookies = [];
487 foreach ($cookie_headers as $header) {
488 $parsed = self::parse($header, '', $time);
489
490 // Default domain/path attributes
491 if (empty($parsed->attributes['domain']) && !empty($origin)) {
492 $parsed->attributes['domain'] = $origin->host;
493 $parsed->flags['host-only'] = true;
494 } else {
495 $parsed->flags['host-only'] = false;
496 }
497
498 $path_is_valid = (!empty($parsed->attributes['path']) && $parsed->attributes['path'][0] === '/');
499 if (!$path_is_valid && !empty($origin)) {
500 $path = $origin->path;
501
502 // Default path normalization as per RFC 6265 section 5.1.4
503 if (substr($path, 0, 1) !== '/') {
504 // If the uri-path is empty or if the first character of
505 // the uri-path is not a %x2F ("/") character, output
506 // %x2F ("/") and skip the remaining steps.
507 $path = '/';
508 } elseif (substr_count($path, '/') === 1) {
509 // If the uri-path contains no more than one %x2F ("/")
510 // character, output %x2F ("/") and skip the remaining
511 // step.
512 $path = '/';
513 } else {
514 // Output the characters of the uri-path from the first
515 // character up to, but not including, the right-most
516 // %x2F ("/").
517 $path = substr($path, 0, strrpos($path, '/'));
518 }
519
520 $parsed->attributes['path'] = $path;
521 }
522
523 // Reject invalid cookie domains
524 if (!empty($origin) && !$parsed->domain_matches($origin->host)) {
525 continue;
526 }
527
528 $cookies[$parsed->name] = $parsed;
529 }
530
531 return $cookies;
532 }
533}
534