dont serialize csrf cookie / header (#25121)

taylorotwell · web-flow · commit c0eb9073eb2c · 2018-08-06T21:53:13.000-10:00
diff --git a/src/Illuminate/Cookie/Middleware/EncryptCookies.php b/src/Illuminate/Cookie/Middleware/EncryptCookies.php
@@ -25,6 +25,15 @@ class EncryptCookies
      */
     protected $except = [];
 
+    /**
+     * The cookies that should not be serialized.
+     *
+     * @var array
+     */
+    protected $serialization = [
+        'XSRF-TOKEN' => false,
+    ];
+
     /**
      * Create a new CookieGuard instance.
      *
@@ -73,7 +82,7 @@ protected function decrypt(Request $request)
             }
 
             try {
-                $request->cookies->set($key, $this->decryptCookie($cookie));
+                $request->cookies->set($key, $this->decryptCookie($key, $cookie));
             } catch (DecryptException $e) {
                 $request->cookies->set($key, null);
             }
@@ -85,14 +94,15 @@ protected function decrypt(Request $request)
     /**
      * Decrypt the given cookie and return the value.
      *
+     * @param  string  $name
      * @param  string|array  $cookie
      * @return string|array
      */
-    protected function decryptCookie($cookie)
+    protected function decryptCookie($name, $cookie)
     {
         return is_array($cookie)
                         ? $this->decryptArray($cookie)
-                        : $this->encrypter->decrypt($cookie);
+                        : $this->encrypter->decrypt($cookie, $this->serialization[$name] ?? true);
     }
 
     /**
@@ -107,7 +117,7 @@ protected function decryptArray(array $cookie)
 
         foreach ($cookie as $key => $value) {
             if (is_string($value)) {
-                $decrypted[$key] = $this->encrypter->decrypt($value);
+                $decrypted[$key] = $this->encrypter->decrypt($value, $this->serialization[$key] ?? true);
             }
         }
 
@@ -127,8 +137,10 @@ protected function encrypt(Response $response)
                 continue;
             }
 
+            $serialize = $this->serialization[$cookie->getName()] ?? true;
+
             $response->headers->setCookie($this->duplicate(
-                $cookie, $this->encrypter->encrypt($cookie->getValue())
+                $cookie, $this->encrypter->encrypt($cookie->getValue(), $serialize)
             ));
         }
 
diff --git a/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php b/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php
@@ -138,7 +138,7 @@ protected function getTokenFromRequest($request)
         $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
 
         if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
-            $token = $this->encrypter->decrypt($header);
+            $token = $this->encrypter->decrypt($header, false);
         }
 
         return $token;

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,15 @@ class EncryptCookies`
`25`	`25`	`*/`
`26`	`26`	`protected $except = [];`
`27`	`27`
	`28`	`+ /**`
	`29`	`+ * The cookies that should not be serialized.`
	`30`	`+ *`
	`31`	`+ * @var array`
	`32`	`+ */`
	`33`	`+ protected $serialization = [`
	`34`	`+ 'XSRF-TOKEN' => false,`
	`35`	`+ ];`
	`36`	`+`
`28`	`37`	`/**`
`29`	`38`	`* Create a new CookieGuard instance.`
`30`	`39`	`*`
`@@ -73,7 +82,7 @@ protected function decrypt(Request $request)`
`73`	`82`	`}`
`74`	`83`
`75`	`84`	`try {`
`76`		`- $request->cookies->set($key, $this->decryptCookie($cookie));`
	`85`	`+ $request->cookies->set($key, $this->decryptCookie($key, $cookie));`
`77`	`86`	`} catch (DecryptException $e) {`
`78`	`87`	`$request->cookies->set($key, null);`
`79`	`88`	`}`
`@@ -85,14 +94,15 @@ protected function decrypt(Request $request)`
`85`	`94`	`/**`
`86`	`95`	`* Decrypt the given cookie and return the value.`
`87`	`96`	`*`
	`97`	`+ * @param string $name`
`88`	`98`	`* @param string\|array $cookie`
`89`	`99`	`* @return string\|array`
`90`	`100`	`*/`
`91`		`- protected function decryptCookie($cookie)`
	`101`	`+ protected function decryptCookie($name, $cookie)`
`92`	`102`	`{`
`93`	`103`	`return is_array($cookie)`
`94`	`104`	`? $this->decryptArray($cookie)`
`95`		`- : $this->encrypter->decrypt($cookie);`
	`105`	`+ : $this->encrypter->decrypt($cookie, $this->serialization[$name] ?? true);`
`96`	`106`	`}`
`97`	`107`
`98`	`108`	`/**`
`@@ -107,7 +117,7 @@ protected function decryptArray(array $cookie)`
`107`	`117`
`108`	`118`	`foreach ($cookie as $key => $value) {`
`109`	`119`	`if (is_string($value)) {`
`110`		`- $decrypted[$key] = $this->encrypter->decrypt($value);`
	`120`	`+ $decrypted[$key] = $this->encrypter->decrypt($value, $this->serialization[$key] ?? true);`
`111`	`121`	`}`
`112`	`122`	`}`
`113`	`123`
`@@ -127,8 +137,10 @@ protected function encrypt(Response $response)`
`127`	`137`	`continue;`
`128`	`138`	`}`
`129`	`139`
	`140`	`+ $serialize = $this->serialization[$cookie->getName()] ?? true;`
	`141`	`+`
`130`	`142`	`$response->headers->setCookie($this->duplicate(`
`131`		`- $cookie, $this->encrypter->encrypt($cookie->getValue())`
	`143`	`+ $cookie, $this->encrypter->encrypt($cookie->getValue(), $serialize)`
`132`	`144`	`));`
`133`	`145`	`}`
`134`	`146`
Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ protected function getTokenFromRequest($request)`
`138`	`138`	`$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');`
`139`	`139`
`140`	`140`	`if (! $token && $header = $request->header('X-XSRF-TOKEN')) {`
`141`		`- $token = $this->encrypter->decrypt($header);`
	`141`	`+ $token = $this->encrypter->decrypt($header, false);`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`return $token;`