From: jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Date: Tue, 29 Jul 2014 20:07:47 +0000 (+0000)
Subject: Merge "Disallow top level domains in Cookie::validateCookieDomain()."
X-Git-Tag: 1.31.0-rc.0~14687
X-Git-Url: https://git.cyclocoop.org//%22?a=commitdiff_plain;h=f0edb3e368a5fc69218d20f76f1538b68f37db42;p=lhc%2Fweb%2Fwiklou.git

Merge "Disallow top level domains in Cookie::validateCookieDomain()."
---

f0edb3e368a5fc69218d20f76f1538b68f37db42
diff --cc includes/Cookie.php
index b8d34e23cf,d4c342ba48..8b5906a820
--- a/includes/Cookie.php
+++ b/includes/Cookie.php
@@@ -85,13 -85,17 +85,17 @@@ class Cookie 
  	 * @todo fixme fails to detect 2-letter top-level domains for single-domain use (probably
  	 * not a big problem in practice, but there are test cases)
  	 *
 -	 * @param string $domain the domain to validate
 +	 * @param string $domain The domain to validate
  	 * @param string $originDomain (optional) the domain the cookie originates from
 -	 * @return Boolean
 +	 * @return bool
  	 */
  	public static function validateCookieDomain( $domain, $originDomain = null ) {
- 		// Don't allow a trailing dot
- 		if ( substr( $domain, -1 ) == '.' ) {
+ 		$dc = explode( ".", $domain );
+ 
+ 		// Don't allow a trailing dot or addresses without a or just a leading dot
+ 		if ( substr( $domain, -1 ) == '.' ||
+ 			 count( $dc ) <= 1 ||
+ 			 count( $dc ) == 2 && $dc[0] === '' ) {
  			return false;
  		}