Merge branch '6.1' into 6.2

* 6.1: [HttpFoundation] Fix bad return type in IpUtils::checkIp4() [DependencyInjection] Fix order of arguments when mixing positional and named ones [HttpClient] Fix collecting data non-late for the profiler [Security/Http] Fix compat of persistent remember-me with legacy tokens Bump Symfony version to 6.1.12 Update VERSION for 6.1.11 Update CHANGELOG for 6.1.11 Bump Symfony version to 6.0.20 Update VERSION for 6.0.19 Update CHANGELOG for 6.0.19 Bump Symfony version to 5.4.20 Update VERSION for 5.4.19 Update CONTRIBUTORS for 5.4.19 Update CHANGELOG for 5.4.19 [Security/Http] Remove CSRF tokens from storage on successful login [HttpKernel] Remove private headers before storing responses with HttpCache
symfony · Jan 30, 2023 · 9a396cb · 9a396cb
2 parents 3ef78f0 + dc741f8
commit 9a396cb
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/HttpCache/Store.php b/HttpCache/Store.php
@@ -29,17 +29,28 @@ class Store implements StoreInterface
     private \SplObjectStorage $keyCache;
     /** @var array<string, resource> */
     private array $locks = [];
+    private array $options;
 
     /**
+     * Constructor.
+     *
+     * The available options are:
+     *
+     *   * private_headers  Set of response headers that should not be stored
+     *                      when a response is cached. (default: Set-Cookie)
+     *
      * @throws \RuntimeException
      */
-    public function __construct(string $root)
+    public function __construct(string $root, array $options = [])
     {
         $this->root = $root;
         if (!is_dir($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) {
             throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root));
         }
         $this->keyCache = new \SplObjectStorage();
+        $this->options = array_merge([
+            'private_headers' => ['Set-Cookie'],
+        ], $options);
     }
 
     /**
@@ -212,6 +223,10 @@ public function write(Request $request, Response $response): string
         $headers = $this->persistResponse($response);
         unset($headers['age']);
 
+        foreach ($this->options['private_headers'] as $h) {
+            unset($headers[strtolower($h)]);
+        }
+
         array_unshift($entries, [$storedEnv, $headers]);
 
         if (!$this->save($key, serialize($entries))) {

diff --git a/Tests/HttpCache/StoreTest.php b/Tests/HttpCache/StoreTest.php
@@ -12,8 +12,10 @@
 namespace Symfony\Component\HttpKernel\Tests\HttpCache;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\HttpCache\HttpCache;
 use Symfony\Component\HttpKernel\HttpCache\Store;
 
 class StoreTest extends TestCase
@@ -317,6 +319,17 @@ public function testPurgeHttpAndHttps()
         $this->assertEmpty($this->getStoreMetadata($requestHttps));
     }
 
+    public function testDoesNotStorePrivateHeaders()
+    {
+        $request = Request::create('https://example.com/foo');
+        $response = new Response('foo');
+        $response->headers->setCookie(Cookie::fromString('foo=bar'));
+
+        $this->store->write($request, $response);
+        $this->assertArrayNotHasKey('set-cookie', $this->getStoreMetadata($request)[0][1]);
+        $this->assertNotEmpty($response->headers->getCookies());
+    }
+
     protected function storeSimpleEntry($path = null, $headers = [])
     {
         $path ??= '/test';