dont serialize csrf cookie / header (#25121)

laravel · Aug 7, 2018 · c0eb907 · c0eb907
1 parent 9ed650c
commit c0eb907
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/src/Illuminate/Cookie/Middleware/EncryptCookies.php b/src/Illuminate/Cookie/Middleware/EncryptCookies.php
@@ -25,6 +25,15 @@ class EncryptCookies
      */
     protected $except = [];
 
+    /**
+     * The cookies that should not be serialized.
+     *
+     * @var array
+     */
+    protected $serialization = [
+        'XSRF-TOKEN' => false,
+    ];
+
     /**
      * Create a new CookieGuard instance.
      *
@@ -73,7 +82,7 @@ protected function decrypt(Request $request)
             }
 
             try {
-                $request->cookies->set($key, $this->decryptCookie($cookie));
+                $request->cookies->set($key, $this->decryptCookie($key, $cookie));
             } catch (DecryptException $e) {
                 $request->cookies->set($key, null);
             }
@@ -85,14 +94,15 @@ protected function decrypt(Request $request)
     /**
      * Decrypt the given cookie and return the value.
      *
+     * @param  string  $name
      * @param  string|array  $cookie
      * @return string|array
      */
-    protected function decryptCookie($cookie)
+    protected function decryptCookie($name, $cookie)
     {
         return is_array($cookie)
                         ? $this->decryptArray($cookie)
-                        : $this->encrypter->decrypt($cookie);
+                        : $this->encrypter->decrypt($cookie, $this->serialization[$name] ?? true);
     }
 
     /**
@@ -107,7 +117,7 @@ protected function decryptArray(array $cookie)
 
         foreach ($cookie as $key => $value) {
             if (is_string($value)) {
-                $decrypted[$key] = $this->encrypter->decrypt($value);
+                $decrypted[$key] = $this->encrypter->decrypt($value, $this->serialization[$key] ?? true);
             }
         }
 
@@ -127,8 +137,10 @@ protected function encrypt(Response $response)
                 continue;
             }
 
+            $serialize = $this->serialization[$cookie->getName()] ?? true;
+
             $response->headers->setCookie($this->duplicate(
-                $cookie, $this->encrypter->encrypt($cookie->getValue())
+                $cookie, $this->encrypter->encrypt($cookie->getValue(), $serialize)
             ));
         }
 

diff --git a/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php b/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php
@@ -138,7 +138,7 @@ protected function getTokenFromRequest($request)
         $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
 
         if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
-            $token = $this->encrypter->decrypt($header);
+            $token = $this->encrypter->decrypt($header, false);
         }
 
         return $token;