Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
 
 
 
 
 

501 linhas
13 KiB

  1. <?php
  2. /**
  3. * Cookie storage object
  4. *
  5. * @package Requests
  6. * @subpackage Cookies
  7. */
  8. /**
  9. * Cookie storage object
  10. *
  11. * @package Requests
  12. * @subpackage Cookies
  13. */
  14. class Requests_Cookie {
  15. /**
  16. * Cookie name.
  17. *
  18. * @var string
  19. */
  20. public $name;
  21. /**
  22. * Cookie value.
  23. *
  24. * @var string
  25. */
  26. public $value;
  27. /**
  28. * Cookie attributes
  29. *
  30. * Valid keys are (currently) path, domain, expires, max-age, secure and
  31. * httponly.
  32. *
  33. * @var Requests_Utility_CaseInsensitiveDictionary|array Array-like object
  34. */
  35. public $attributes = array();
  36. /**
  37. * Cookie flags
  38. *
  39. * Valid keys are (currently) creation, last-access, persistent and
  40. * host-only.
  41. *
  42. * @var array
  43. */
  44. public $flags = array();
  45. /**
  46. * Reference time for relative calculations
  47. *
  48. * This is used in place of `time()` when calculating Max-Age expiration and
  49. * checking time validity.
  50. *
  51. * @var int
  52. */
  53. public $reference_time = 0;
  54. /**
  55. * Create a new cookie object
  56. *
  57. * @param string $name
  58. * @param string $value
  59. * @param array|Requests_Utility_CaseInsensitiveDictionary $attributes Associative array of attribute data
  60. */
  61. public function __construct($name, $value, $attributes = array(), $flags = array(), $reference_time = null) {
  62. $this->name = $name;
  63. $this->value = $value;
  64. $this->attributes = $attributes;
  65. $default_flags = array(
  66. 'creation' => time(),
  67. 'last-access' => time(),
  68. 'persistent' => false,
  69. 'host-only' => true,
  70. );
  71. $this->flags = array_merge($default_flags, $flags);
  72. $this->reference_time = time();
  73. if ($reference_time !== null) {
  74. $this->reference_time = $reference_time;
  75. }
  76. $this->normalize();
  77. }
  78. /**
  79. * Check if a cookie is expired.
  80. *
  81. * Checks the age against $this->reference_time to determine if the cookie
  82. * is expired.
  83. *
  84. * @return boolean True if expired, false if time is valid.
  85. */
  86. public function is_expired() {
  87. // RFC6265, s. 4.1.2.2:
  88. // If a cookie has both the Max-Age and the Expires attribute, the Max-
  89. // Age attribute has precedence and controls the expiration date of the
  90. // cookie.
  91. if (isset($this->attributes['max-age'])) {
  92. $max_age = $this->attributes['max-age'];
  93. return $max_age < $this->reference_time;
  94. }
  95. if (isset($this->attributes['expires'])) {
  96. $expires = $this->attributes['expires'];
  97. return $expires < $this->reference_time;
  98. }
  99. return false;
  100. }
  101. /**
  102. * Check if a cookie is valid for a given URI
  103. *
  104. * @param Requests_IRI $uri URI to check
  105. * @return boolean Whether the cookie is valid for the given URI
  106. */
  107. public function uri_matches(Requests_IRI $uri) {
  108. if (!$this->domain_matches($uri->host)) {
  109. return false;
  110. }
  111. if (!$this->path_matches($uri->path)) {
  112. return false;
  113. }
  114. return empty($this->attributes['secure']) || $uri->scheme === 'https';
  115. }
  116. /**
  117. * Check if a cookie is valid for a given domain
  118. *
  119. * @param string $string Domain to check
  120. * @return boolean Whether the cookie is valid for the given domain
  121. */
  122. public function domain_matches($string) {
  123. if (!isset($this->attributes['domain'])) {
  124. // Cookies created manually; cookies created by Requests will set
  125. // the domain to the requested domain
  126. return true;
  127. }
  128. $domain_string = $this->attributes['domain'];
  129. if ($domain_string === $string) {
  130. // The domain string and the string are identical.
  131. return true;
  132. }
  133. // If the cookie is marked as host-only and we don't have an exact
  134. // match, reject the cookie
  135. if ($this->flags['host-only'] === true) {
  136. return false;
  137. }
  138. if (strlen($string) <= strlen($domain_string)) {
  139. // For obvious reasons, the string cannot be a suffix if the domain
  140. // is shorter than the domain string
  141. return false;
  142. }
  143. if (substr($string, -1 * strlen($domain_string)) !== $domain_string) {
  144. // The domain string should be a suffix of the string.
  145. return false;
  146. }
  147. $prefix = substr($string, 0, strlen($string) - strlen($domain_string));
  148. if (substr($prefix, -1) !== '.') {
  149. // The last character of the string that is not included in the
  150. // domain string should be a %x2E (".") character.
  151. return false;
  152. }
  153. // The string should be a host name (i.e., not an IP address).
  154. return !preg_match('#^(.+\.)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $string);
  155. }
  156. /**
  157. * Check if a cookie is valid for a given path
  158. *
  159. * From the path-match check in RFC 6265 section 5.1.4
  160. *
  161. * @param string $request_path Path to check
  162. * @return boolean Whether the cookie is valid for the given path
  163. */
  164. public function path_matches($request_path) {
  165. if (empty($request_path)) {
  166. // Normalize empty path to root
  167. $request_path = '/';
  168. }
  169. if (!isset($this->attributes['path'])) {
  170. // Cookies created manually; cookies created by Requests will set
  171. // the path to the requested path
  172. return true;
  173. }
  174. $cookie_path = $this->attributes['path'];
  175. if ($cookie_path === $request_path) {
  176. // The cookie-path and the request-path are identical.
  177. return true;
  178. }
  179. if (strlen($request_path) > strlen($cookie_path) && substr($request_path, 0, strlen($cookie_path)) === $cookie_path) {
  180. if (substr($cookie_path, -1) === '/') {
  181. // The cookie-path is a prefix of the request-path, and the last
  182. // character of the cookie-path is %x2F ("/").
  183. return true;
  184. }
  185. if (substr($request_path, strlen($cookie_path), 1) === '/') {
  186. // The cookie-path is a prefix of the request-path, and the
  187. // first character of the request-path that is not included in
  188. // the cookie-path is a %x2F ("/") character.
  189. return true;
  190. }
  191. }
  192. return false;
  193. }
  194. /**
  195. * Normalize cookie and attributes
  196. *
  197. * @return boolean Whether the cookie was successfully normalized
  198. */
  199. public function normalize() {
  200. foreach ($this->attributes as $key => $value) {
  201. $orig_value = $value;
  202. $value = $this->normalize_attribute($key, $value);
  203. if ($value === null) {
  204. unset($this->attributes[$key]);
  205. continue;
  206. }
  207. if ($value !== $orig_value) {
  208. $this->attributes[$key] = $value;
  209. }
  210. }
  211. return true;
  212. }
  213. /**
  214. * Parse an individual cookie attribute
  215. *
  216. * Handles parsing individual attributes from the cookie values.
  217. *
  218. * @param string $name Attribute name
  219. * @param string|boolean $value Attribute value (string value, or true if empty/flag)
  220. * @return mixed Value if available, or null if the attribute value is invalid (and should be skipped)
  221. */
  222. protected function normalize_attribute($name, $value) {
  223. switch (strtolower($name)) {
  224. case 'expires':
  225. // Expiration parsing, as per RFC 6265 section 5.2.1
  226. if (is_int($value)) {
  227. return $value;
  228. }
  229. $expiry_time = strtotime($value);
  230. if ($expiry_time === false) {
  231. return null;
  232. }
  233. return $expiry_time;
  234. case 'max-age':
  235. // Expiration parsing, as per RFC 6265 section 5.2.2
  236. if (is_int($value)) {
  237. return $value;
  238. }
  239. // Check that we have a valid age
  240. if (!preg_match('/^-?\d+$/', $value)) {
  241. return null;
  242. }
  243. $delta_seconds = (int) $value;
  244. if ($delta_seconds <= 0) {
  245. $expiry_time = 0;
  246. }
  247. else {
  248. $expiry_time = $this->reference_time + $delta_seconds;
  249. }
  250. return $expiry_time;
  251. case 'domain':
  252. // Domain normalization, as per RFC 6265 section 5.2.3
  253. if ($value[0] === '.') {
  254. $value = substr($value, 1);
  255. }
  256. return $value;
  257. default:
  258. return $value;
  259. }
  260. }
  261. /**
  262. * Format a cookie for a Cookie header
  263. *
  264. * This is used when sending cookies to a server.
  265. *
  266. * @return string Cookie formatted for Cookie header
  267. */
  268. public function format_for_header() {
  269. return sprintf('%s=%s', $this->name, $this->value);
  270. }
  271. /**
  272. * Format a cookie for a Cookie header
  273. *
  274. * @codeCoverageIgnore
  275. * @deprecated Use {@see Requests_Cookie::format_for_header}
  276. * @return string
  277. */
  278. public function formatForHeader() {
  279. return $this->format_for_header();
  280. }
  281. /**
  282. * Format a cookie for a Set-Cookie header
  283. *
  284. * This is used when sending cookies to clients. This isn't really
  285. * applicable to client-side usage, but might be handy for debugging.
  286. *
  287. * @return string Cookie formatted for Set-Cookie header
  288. */
  289. public function format_for_set_cookie() {
  290. $header_value = $this->format_for_header();
  291. if (!empty($this->attributes)) {
  292. $parts = array();
  293. foreach ($this->attributes as $key => $value) {
  294. // Ignore non-associative attributes
  295. if (is_numeric($key)) {
  296. $parts[] = $value;
  297. }
  298. else {
  299. $parts[] = sprintf('%s=%s', $key, $value);
  300. }
  301. }
  302. $header_value .= '; ' . implode('; ', $parts);
  303. }
  304. return $header_value;
  305. }
  306. /**
  307. * Format a cookie for a Set-Cookie header
  308. *
  309. * @codeCoverageIgnore
  310. * @deprecated Use {@see Requests_Cookie::format_for_set_cookie}
  311. * @return string
  312. */
  313. public function formatForSetCookie() {
  314. return $this->format_for_set_cookie();
  315. }
  316. /**
  317. * Get the cookie value
  318. *
  319. * Attributes and other data can be accessed via methods.
  320. */
  321. public function __toString() {
  322. return $this->value;
  323. }
  324. /**
  325. * Parse a cookie string into a cookie object
  326. *
  327. * Based on Mozilla's parsing code in Firefox and related projects, which
  328. * is an intentional deviation from RFC 2109 and RFC 2616. RFC 6265
  329. * specifies some of this handling, but not in a thorough manner.
  330. *
  331. * @param string Cookie header value (from a Set-Cookie header)
  332. * @return Requests_Cookie Parsed cookie object
  333. */
  334. public static function parse($string, $name = '', $reference_time = null) {
  335. $parts = explode(';', $string);
  336. $kvparts = array_shift($parts);
  337. if (!empty($name)) {
  338. $value = $string;
  339. }
  340. elseif (strpos($kvparts, '=') === false) {
  341. // Some sites might only have a value without the equals separator.
  342. // Deviate from RFC 6265 and pretend it was actually a blank name
  343. // (`=foo`)
  344. //
  345. // https://bugzilla.mozilla.org/show_bug.cgi?id=169091
  346. $name = '';
  347. $value = $kvparts;
  348. }
  349. else {
  350. list($name, $value) = explode('=', $kvparts, 2);
  351. }
  352. $name = trim($name);
  353. $value = trim($value);
  354. // Attribute key are handled case-insensitively
  355. $attributes = new Requests_Utility_CaseInsensitiveDictionary();
  356. if (!empty($parts)) {
  357. foreach ($parts as $part) {
  358. if (strpos($part, '=') === false) {
  359. $part_key = $part;
  360. $part_value = true;
  361. }
  362. else {
  363. list($part_key, $part_value) = explode('=', $part, 2);
  364. $part_value = trim($part_value);
  365. }
  366. $part_key = trim($part_key);
  367. $attributes[$part_key] = $part_value;
  368. }
  369. }
  370. return new Requests_Cookie($name, $value, $attributes, array(), $reference_time);
  371. }
  372. /**
  373. * Parse all Set-Cookie headers from request headers
  374. *
  375. * @param Requests_Response_Headers $headers Headers to parse from
  376. * @param Requests_IRI|null $origin URI for comparing cookie origins
  377. * @param int|null $time Reference time for expiration calculation
  378. * @return array
  379. */
  380. public static function parse_from_headers(Requests_Response_Headers $headers, Requests_IRI $origin = null, $time = null) {
  381. $cookie_headers = $headers->getValues('Set-Cookie');
  382. if (empty($cookie_headers)) {
  383. return array();
  384. }
  385. $cookies = array();
  386. foreach ($cookie_headers as $header) {
  387. $parsed = self::parse($header, '', $time);
  388. // Default domain/path attributes
  389. if (empty($parsed->attributes['domain']) && !empty($origin)) {
  390. $parsed->attributes['domain'] = $origin->host;
  391. $parsed->flags['host-only'] = true;
  392. }
  393. else {
  394. $parsed->flags['host-only'] = false;
  395. }
  396. $path_is_valid = (!empty($parsed->attributes['path']) && $parsed->attributes['path'][0] === '/');
  397. if (!$path_is_valid && !empty($origin)) {
  398. $path = $origin->path;
  399. // Default path normalization as per RFC 6265 section 5.1.4
  400. if (substr($path, 0, 1) !== '/') {
  401. // If the uri-path is empty or if the first character of
  402. // the uri-path is not a %x2F ("/") character, output
  403. // %x2F ("/") and skip the remaining steps.
  404. $path = '/';
  405. }
  406. elseif (substr_count($path, '/') === 1) {
  407. // If the uri-path contains no more than one %x2F ("/")
  408. // character, output %x2F ("/") and skip the remaining
  409. // step.
  410. $path = '/';
  411. }
  412. else {
  413. // Output the characters of the uri-path from the first
  414. // character up to, but not including, the right-most
  415. // %x2F ("/").
  416. $path = substr($path, 0, strrpos($path, '/'));
  417. }
  418. $parsed->attributes['path'] = $path;
  419. }
  420. // Reject invalid cookie domains
  421. if (!empty($origin) && !$parsed->domain_matches($origin->host)) {
  422. continue;
  423. }
  424. $cookies[$parsed->name] = $parsed;
  425. }
  426. return $cookies;
  427. }
  428. /**
  429. * Parse all Set-Cookie headers from request headers
  430. *
  431. * @codeCoverageIgnore
  432. * @deprecated Use {@see Requests_Cookie::parse_from_headers}
  433. * @return string
  434. */
  435. public static function parseFromHeaders(Requests_Response_Headers $headers) {
  436. return self::parse_from_headers($headers);
  437. }
  438. }