From a329aa24a8494f2e814508740d8b3ec2528d65ff Mon Sep 17 00:00:00 2001 From: Ismael Ambrosi Date: Mon, 6 May 2019 13:23:02 -0300 Subject: [PATCH] Define all Cookie arguments explicitly (#58) * Define all Cookie arguments explicitly This adds support for Symfony 4.2, which deprecates not defining all the arguments as some of their default values are scheduled to change in Symfony 5.0. * Set Cookie $sameSite as `lax` instead of null This is the default value as of Symfony 4.2, and makes cookies safer as they won't be sent along with cross-site requests. Also, added missing prediction when registering the cookie in the ResponseHeaderBag. * Define PHP version in cinst instruction This ensures appveyor uses PHP 7.2 and not a default version(currently 7.3) * Fixed tests after new method call in Symfony 4.2.6 and 3.4.25 --- EventListener/AngularCsrfCookieListener.php | 4 +++- appveyor.yml | 2 +- .../DependencyInjection/DunglasAngularCsrfExtensionSpec.php | 5 +++++ .../EventListener/AngularCsrfCookieListenerSpec.php | 5 ++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/EventListener/AngularCsrfCookieListener.php b/EventListener/AngularCsrfCookieListener.php index f24d34a..e780f64 100644 --- a/EventListener/AngularCsrfCookieListener.php +++ b/EventListener/AngularCsrfCookieListener.php @@ -102,7 +102,9 @@ public function onKernelResponse(FilterResponseEvent $event) $this->cookiePath, $this->cookieDomain, $this->cookieSecure, - false + false /* httpOnly */, + false /* raw */, + Cookie::SAMESITE_LAX )); } } diff --git a/appveyor.yml b/appveyor.yml index 72d34b8..aee87de 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -10,7 +10,7 @@ init: install: - ps: Set-Service wuauserv -StartupType Manual - - cinst -y php + - cinst -y php --version 7.2.17 - cd c:\tools\php72 - copy php.ini-production php.ini /Y - echo date.timezone="UTC" >> php.ini diff --git a/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php b/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php index a2a93ca..db15726 100644 --- a/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php +++ b/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php @@ -60,6 +60,11 @@ public function it_loads(ContainerBuilder $container, ParameterBagInterface $par $container->addResource(Argument::type('Symfony\Component\Config\Resource\FileResource'))->shouldBeCalled(); } + if (method_exists('Symfony\Component\DependencyInjection\ContainerBuilder', 'addRemovedBindingIds')) { + // Added in Symfony v4.2.6 and v3.4.25 + $container->addRemovedBindingIds(Argument::type('string'))->willReturn(null); + } + $container->getParameterBag()->willReturn($parameterBag)->shouldBeCalled(); $container->hasExtension('http://symfony.com/schema/dic/services')->willReturn(false)->shouldBeCalled(); $container->setParameter('dunglas_angular_csrf.token.id', $configs['dunglas_angular_csrf']['token']['id'])->shouldBeCalled(); diff --git a/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php b/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php index c1f0982..e45d8ea 100644 --- a/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php +++ b/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php @@ -79,7 +79,10 @@ public function it_sets_cookie_when_it_does( Response $response, ResponseHeaderBag $headers ) { - $headers->setCookie(Argument::type('Symfony\Component\HttpFoundation\Cookie')); + $headers->setCookie(Argument::allOf( + Argument::type('Symfony\Component\HttpFoundation\Cookie'), + Argument::which('getSameSite', 'lax') + ))->shouldBeCalled(); $response->headers = $headers; $event->getRequestType()->willReturn(HttpKernelInterface::MASTER_REQUEST)->shouldBeCalled();