From: Tim Landscheidt <tim@tim-landscheidt.de>
Date: Fri, 21 Sep 2012 22:48:46 +0000 (+0000)
Subject: Disallow top level domains in Cookie::validateCookieDomain().
X-Git-Tag: 1.31.0-rc.0~14687^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/journal.php?a=commitdiff_plain;h=bfc9be60b7b24ffb7c13a95f94600e8bf3200c67;p=lhc%2Fweb%2Fwiklou.git

Disallow top level domains in Cookie::validateCookieDomain().

This disallows addresses that contain no dots or just a leading one.

Change-Id: I4d62ab3618dddf0d5fafb49c31523137ac33cad2
---

diff --git a/includes/Cookie.php b/includes/Cookie.php
index ecf4667d15..d4c342ba48 100644
--- a/includes/Cookie.php
+++ b/includes/Cookie.php
@@ -90,13 +90,15 @@ class Cookie {
 	 * @return Boolean
 	 */
 	public static function validateCookieDomain( $domain, $originDomain = null ) {
-		// Don't allow a trailing dot
-		if ( substr( $domain, -1 ) == '.' ) {
+		$dc = explode( ".", $domain );
+
+		// Don't allow a trailing dot or addresses without a or just a leading dot
+		if ( substr( $domain, -1 ) == '.' ||
+			 count( $dc ) <= 1 ||
+			 count( $dc ) == 2 && $dc[0] === '' ) {
 			return false;
 		}
 
-		$dc = explode( ".", $domain );
-
 		// Only allow full, valid IP addresses
 		if ( preg_match( '/^[0-9.]+$/', $domain ) ) {
 			if ( count( $dc ) != 4 ) {