Merge branch '6.1' into 6.2

nicolas-grekas · nicolas-grekas · commit 9a396cba5c1b · 2023-01-30T16:46:28.000+01:00
* 6.1:
  [HttpFoundation] Fix bad return type in IpUtils::checkIp4()
  [DependencyInjection] Fix order of arguments when mixing positional and named ones
  [HttpClient] Fix collecting data non-late for the profiler
  [Security/Http] Fix compat of persistent remember-me with legacy tokens
  Bump Symfony version to 6.1.12
  Update VERSION for 6.1.11
  Update CHANGELOG for 6.1.11
  Bump Symfony version to 6.0.20
  Update VERSION for 6.0.19
  Update CHANGELOG for 6.0.19
  Bump Symfony version to 5.4.20
  Update VERSION for 5.4.19
  Update CONTRIBUTORS for 5.4.19
  Update CHANGELOG for 5.4.19
  [Security/Http] Remove CSRF tokens from storage on successful login
  [HttpKernel] Remove private headers before storing responses with HttpCache
diff --git a/HttpCache/Store.php b/HttpCache/Store.php
@@ -29,17 +29,28 @@ class Store implements StoreInterface
     private \SplObjectStorage $keyCache;
     /** @var array<string, resource> */
     private array $locks = [];
+    private array $options;
 
     /**
+     * Constructor.
+     *
+     * The available options are:
+     *
+     *   * private_headers  Set of response headers that should not be stored
+     *                      when a response is cached. (default: Set-Cookie)
+     *
      * @throws \RuntimeException
      */
-    public function __construct(string $root)
+    public function __construct(string $root, array $options = [])
     {
         $this->root = $root;
         if (!is_dir($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) {
             throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root));
         }
         $this->keyCache = new \SplObjectStorage();
+        $this->options = array_merge([
+            'private_headers' => ['Set-Cookie'],
+        ], $options);
     }
 
     /**
@@ -212,6 +223,10 @@ public function write(Request $request, Response $response): string
         $headers = $this->persistResponse($response);
         unset($headers['age']);
 
+        foreach ($this->options['private_headers'] as $h) {
+            unset($headers[strtolower($h)]);
+        }
+
         array_unshift($entries, [$storedEnv, $headers]);
 
         if (!$this->save($key, serialize($entries))) {
diff --git a/Tests/HttpCache/StoreTest.php b/Tests/HttpCache/StoreTest.php
@@ -12,8 +12,10 @@
 namespace Symfony\Component\HttpKernel\Tests\HttpCache;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\HttpCache\HttpCache;
 use Symfony\Component\HttpKernel\HttpCache\Store;
 
 class StoreTest extends TestCase
@@ -317,6 +319,17 @@ public function testPurgeHttpAndHttps()
         $this->assertEmpty($this->getStoreMetadata($requestHttps));
     }
 
+    public function testDoesNotStorePrivateHeaders()
+    {
+        $request = Request::create('https://example.com/foo');
+        $response = new Response('foo');
+        $response->headers->setCookie(Cookie::fromString('foo=bar'));
+
+        $this->store->write($request, $response);
+        $this->assertArrayNotHasKey('set-cookie', $this->getStoreMetadata($request)[0][1]);
+        $this->assertNotEmpty($response->headers->getCookies());
+    }
+
     protected function storeSimpleEntry($path = null, $headers = [])
     {
         $path ??= '/test';
