Commit 4e4e76e8 by Qiang Xue

Request::cookieValidationKey must be explicitly specified now.

parent 8633d0f9
...@@ -14,7 +14,7 @@ return [ ...@@ -14,7 +14,7 @@ return [
'modules' => [], 'modules' => [],
'components' => [ 'components' => [
'request' => [ 'request' => [
// a secret key used to validate cookies. You may modify this key with your own one. // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => '', 'cookieValidationKey' => '',
], ],
'user' => [ 'user' => [
......
...@@ -13,7 +13,7 @@ return [ ...@@ -13,7 +13,7 @@ return [
'controllerNamespace' => 'frontend\controllers', 'controllerNamespace' => 'frontend\controllers',
'components' => [ 'components' => [
'request' => [ 'request' => [
// a secret key used to validate cookies. You may modify this key with your own one. // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => '', 'cookieValidationKey' => '',
], ],
'user' => [ 'user' => [
......
...@@ -8,7 +8,7 @@ $config = [ ...@@ -8,7 +8,7 @@ $config = [
'bootstrap' => ['log'], 'bootstrap' => ['log'],
'components' => [ 'components' => [
'request' => [ 'request' => [
// a secret key used to validate cookies. You may modify this key with your own one. // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => '', 'cookieValidationKey' => '',
], ],
'cache' => [ 'cache' => [
......
...@@ -42,6 +42,13 @@ Installing Yii from an archive file involves two steps: ...@@ -42,6 +42,13 @@ Installing Yii from an archive file involves two steps:
1. Download the archive file from [yiiframework.com](http://www.yiiframework.com/download/yii2-basic). 1. Download the archive file from [yiiframework.com](http://www.yiiframework.com/download/yii2-basic).
2. Unpack the downloaded file to a Web-accessible folder. 2. Unpack the downloaded file to a Web-accessible folder.
3. Modify the `config/web.php` file by entering a secret key for the `cookieValidationKey` configuration item
(this is done automatically if you are installing Yii using Composer):
```php
// !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => 'enter your secret key here',
```
Other Installation Options <a name="other-installation-options"></a> Other Installation Options <a name="other-installation-options"></a>
......
...@@ -273,7 +273,7 @@ EOF ...@@ -273,7 +273,7 @@ EOF
$key = self::generateRandomString(); $key = self::generateRandomString();
foreach ((array) $extra[self::EXTRA_CONFIG] as $config) { foreach ((array) $extra[self::EXTRA_CONFIG] as $config) {
if (is_file($config)) { if (is_file($config)) {
$content = preg_replace('/(("|\')cookieValidationKey("|\')\s*=>\s*)(""|\'\')/i', "\\1'$key'", file_get_contents($config)); $content = preg_replace('/(("|\')cookieValidationKey("|\')\s*=>\s*)(""|\'\')/', "\\1'$key'", file_get_contents($config));
file_put_contents($config, $content); file_put_contents($config, $content);
} }
} }
......
...@@ -188,7 +188,7 @@ Yii Framework 2 Change Log ...@@ -188,7 +188,7 @@ Yii Framework 2 Change Log
- Chg: Changed the default value of the `keyPrefix` property of cache components to be null (qiangxue) - Chg: Changed the default value of the `keyPrefix` property of cache components to be null (qiangxue)
- Chg: Added `prefix` column to `yii\log\DbTarget` to have the same amount of information logged as in files and emails (cebe) - Chg: Added `prefix` column to `yii\log\DbTarget` to have the same amount of information logged as in files and emails (cebe)
- Chg: Use `limit(null)` instead of `limit(-1)` in migration controller to be compatible to more backends (cebe) - Chg: Use `limit(null)` instead of `limit(-1)` in migration controller to be compatible to more backends (cebe)
- Chg: `yii\web\Request::cookieValidationKey` is now automatically generated by the installation script for the basic and advanced application templates (qiangxue) - Chg: `yii\web\Request::cookieValidationKey` must be explicitly specified for each application that wants to use cookie validation (qiangxue)
- New #3911: Added `yii\behaviors\SluggableBehavior` that fills the specified model attribute with the transliterated and adjusted version to use in URLs (creocoder) - New #3911: Added `yii\behaviors\SluggableBehavior` that fills the specified model attribute with the transliterated and adjusted version to use in URLs (creocoder)
- New #4193: Added `yii\filters\Cors` CORS filter to allow Cross Origin Resource Sharing (pgaultier) - New #4193: Added `yii\filters\Cors` CORS filter to allow Cross Origin Resource Sharing (pgaultier)
......
...@@ -78,6 +78,20 @@ Upgrade from Yii 2.0 Beta ...@@ -78,6 +78,20 @@ Upgrade from Yii 2.0 Beta
`new \yii\caching\TagDependency(['tags' => 'TagName'])`, where `TagName` is similar to the group name that you `new \yii\caching\TagDependency(['tags' => 'TagName'])`, where `TagName` is similar to the group name that you
previously used. previously used.
* You must explicitly configure `yii\web\Request::cookieValidationKey` with a secret key. Previously this is done automatically.
To do so, modify your application configuration like the following:
```php
return [
// ...
'components' => [
'request' => [
'cookieValidationKey' => 'your secret key here',
],
],
];
```
* `yii\rbac\PhpManager` now stores data in three separate files instead of one. In order to convert old file to * `yii\rbac\PhpManager` now stores data in three separate files instead of one. In order to convert old file to
new ones save the following code as `convert.php` that should be placed in the same directory your `rbac.php` is in: new ones save the following code as `convert.php` that should be placed in the same directory your `rbac.php` is in:
...@@ -130,7 +144,8 @@ new ones save the following code as `convert.php` that should be placed in the s ...@@ -130,7 +144,8 @@ new ones save the following code as `convert.php` that should be placed in the s
its methods to a new syntax, for example: instead of `yii\helpers\Security::hashData()` use `Yii::$app->getSecurity()->hashData()`. its methods to a new syntax, for example: instead of `yii\helpers\Security::hashData()` use `Yii::$app->getSecurity()->hashData()`.
Default encryption and hash parameters has been upgraded. If you need to decrypt/validate data that was encrypted/hashed Default encryption and hash parameters has been upgraded. If you need to decrypt/validate data that was encrypted/hashed
before, use the following configuration of the 'security' component: before, use the following configuration of the 'security' component:
```
```php
return [ return [
'components' => [ 'components' => [
'security' => [ 'security' => [
......
...@@ -35,8 +35,6 @@ use yii\helpers\StringHelper; ...@@ -35,8 +35,6 @@ use yii\helpers\StringHelper;
* @property array $bodyParams The request parameters given in the request body. * @property array $bodyParams The request parameters given in the request body.
* @property string $contentType Request content-type. Null is returned if this information is not available. * @property string $contentType Request content-type. Null is returned if this information is not available.
* This property is read-only. * This property is read-only.
* @property string $cookieValidationKey The secret key used for cookie validation. If it was not set
* previously, a random key will be generated and used.
* @property CookieCollection $cookies The cookie collection. This property is read-only. * @property CookieCollection $cookies The cookie collection. This property is read-only.
* @property string $csrfToken The token used to perform CSRF validation. This property is read-only. * @property string $csrfToken The token used to perform CSRF validation. This property is read-only.
* @property string $csrfTokenFromHeader The CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned * @property string $csrfTokenFromHeader The CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned
...@@ -125,6 +123,10 @@ class Request extends \yii\base\Request ...@@ -125,6 +123,10 @@ class Request extends \yii\base\Request
*/ */
public $enableCookieValidation = true; public $enableCookieValidation = true;
/** /**
* @var string a secret key used for cookie validation. This property must be set if [[enableCookieValidation]] is true.
*/
public $cookieValidationKey;
/**
* @var string the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE * @var string the name of the POST parameter that is used to indicate if a request is a PUT, PATCH or DELETE
* request tunneled through POST. Defaults to '_method'. * request tunneled through POST. Defaults to '_method'.
* @see getMethod() * @see getMethod()
...@@ -1180,14 +1182,17 @@ class Request extends \yii\base\Request ...@@ -1180,14 +1182,17 @@ class Request extends \yii\base\Request
/** /**
* Converts `$_COOKIE` into an array of [[Cookie]]. * Converts `$_COOKIE` into an array of [[Cookie]].
* @return array the cookies obtained from request * @return array the cookies obtained from request
* @throws InvalidConfigException if [[cookieValidationKey]] is not set when [[enableCookieValidation]] is true
*/ */
protected function loadCookies() protected function loadCookies()
{ {
$cookies = []; $cookies = [];
if ($this->enableCookieValidation) { if ($this->enableCookieValidation) {
$key = $this->getCookieValidationKey(); if ($this->cookieValidationKey == '') {
throw new InvalidConfigException(get_class($this) . '::cookieValidationKey must be configured with a secret key.');
}
foreach ($_COOKIE as $name => $value) { foreach ($_COOKIE as $name => $value) {
if (is_string($value) && ($value = Yii::$app->getSecurity()->validateData($value, $key)) !== false) { if (is_string($value) && ($value = Yii::$app->getSecurity()->validateData($value, $this->cookieValidationKey)) !== false) {
$cookies[$name] = new Cookie([ $cookies[$name] = new Cookie([
'name' => $name, 'name' => $name,
'value' => @unserialize($value), 'value' => @unserialize($value),
...@@ -1208,30 +1213,6 @@ class Request extends \yii\base\Request ...@@ -1208,30 +1213,6 @@ class Request extends \yii\base\Request
return $cookies; return $cookies;
} }
private $_cookieValidationKey;
/**
* @return string the secret key used for cookie validation. If it was not set previously,
* a random key will be generated and used.
*/
public function getCookieValidationKey()
{
if ($this->_cookieValidationKey === null) {
$this->_cookieValidationKey = Yii::$app->getSecurity()->getSecretKey('cookie.validation.key');
}
return $this->_cookieValidationKey;
}
/**
* Sets the secret key used for cookie validation.
* @param string $value the secret key used for cookie validation.
*/
public function setCookieValidationKey($value)
{
$this->_cookieValidationKey = $value;
}
/** /**
* @var Cookie * @var Cookie
*/ */
......
...@@ -365,7 +365,10 @@ class Response extends \yii\base\Response ...@@ -365,7 +365,10 @@ class Response extends \yii\base\Response
} }
$request = Yii::$app->getRequest(); $request = Yii::$app->getRequest();
if ($request->enableCookieValidation) { if ($request->enableCookieValidation) {
$validationKey = $request->getCookieValidationKey(); if ($request->cookieValidationKey == '') {
throw new InvalidConfigException(get_class($request) . '::cookieValidationKey must be configured with a secret key.');
}
$validationKey = $request->cookieValidationKey;
} }
foreach ($this->getCookies() as $cookie) { foreach ($this->getCookies() as $cookie) {
$value = $cookie->value; $value = $cookie->value;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment