From 8885b548ad5f36a45c9119f7f03bc3d43a29a5a3 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sun, 8 Jul 2018 15:25:18 -0400
Subject: [PATCH] WebReponse: Use values altered in 'WebResponseSetCookie' hook

The 'WebResponseSetCookie' hook is allowed to alter the data for the
cookie being set. We need to actually use those altered values, rather
than setting $cookie and $data earlier in the function.

Bug: T198525
Change-Id: Ia817e3dc5ce17fdcf5057ee5fcb6980baa1333d6
---
 includes/WebResponse.php | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/includes/WebResponse.php b/includes/WebResponse.php
index 0e5999ddfb..3a4faf0faa 100644
--- a/includes/WebResponse.php
+++ b/includes/WebResponse.php
@@ -151,21 +151,19 @@ class WebResponse {
 			$expire = time() + $wgCookieExpiration;
 		}
 
-		$cookie = $options['prefix'] . $name;
-		$data = [
-			'name' => (string)$cookie,
-			'value' => (string)$value,
-			'expire' => (int)$expire,
-			'path' => (string)$options['path'],
-			'domain' => (string)$options['domain'],
-			'secure' => (bool)$options['secure'],
-			'httpOnly' => (bool)$options['httpOnly'],
-		];
-
 		if ( self::$disableForPostSend ) {
+			$cookie = $options['prefix'] . $name;
 			wfDebugLog( 'cookie', 'ignored post-send cookie {cookie}', 'all', [
 				'cookie' => $cookie,
-				'data' => $data,
+				'data' => [
+					'name' => (string)$cookie,
+					'value' => (string)$value,
+					'expire' => (int)$expire,
+					'path' => (string)$options['path'],
+					'domain' => (string)$options['domain'],
+					'secure' => (bool)$options['secure'],
+					'httpOnly' => (bool)$options['httpOnly'],
+				],
 				'exception' => new RuntimeException( 'Ignored post-send cookie' ),
 			] );
 			return;
@@ -174,6 +172,19 @@ class WebResponse {
 		$func = $options['raw'] ? 'setrawcookie' : 'setcookie';
 
 		if ( Hooks::run( 'WebResponseSetCookie', [ &$name, &$value, &$expire, &$options ] ) ) {
+			// Note: Don't try to move this earlier to reuse it for self::$disableForPostSend,
+			// we need to use the altered values from the hook here. (T198525)
+			$cookie = $options['prefix'] . $name;
+			$data = [
+				'name' => (string)$cookie,
+				'value' => (string)$value,
+				'expire' => (int)$expire,
+				'path' => (string)$options['path'],
+				'domain' => (string)$options['domain'],
+				'secure' => (bool)$options['secure'],
+				'httpOnly' => (bool)$options['httpOnly'],
+			];
+
 			// Per RFC 6265, key is name + domain + path
 			$key = "{$data['name']}\n{$data['domain']}\n{$data['path']}";
 
-- 
2.20.1