WebReponse: Use values altered in 'WebResponseSetCookie' hook

The 'WebResponseSetCookie' hook is allowed to alter the data for the
cookie being set. We need to actually use those altered values, rather
than setting $cookie and $data earlier in the function.

Bug: T198525
Change-Id: Ia817e3dc5ce17fdcf5057ee5fcb6980baa1333d6

diff --git a/includes/WebResponse.php b/includes/WebResponse.php
index 0e5999d..3a4faf0 100644 (file)
--- a/includes/WebResponse.php
+++ b/includes/WebResponse.php
@@ -151,21 +151,19 @@ class WebResponse {
                        $expire = time() + $wgCookieExpiration;
                }
 
-               $cookie = $options['prefix'] . $name;
-               $data = [
-                       'name' => (string)$cookie,
-                       'value' => (string)$value,
-                       'expire' => (int)$expire,
-                       'path' => (string)$options['path'],
-                       'domain' => (string)$options['domain'],
-                       'secure' => (bool)$options['secure'],
-                       'httpOnly' => (bool)$options['httpOnly'],
-               ];
-
                if ( self::$disableForPostSend ) {
+                       $cookie = $options['prefix'] . $name;
                        wfDebugLog( 'cookie', 'ignored post-send cookie {cookie}', 'all', [
                                'cookie' => $cookie,
-                               'data' => $data,
+                               'data' => [
+                                       'name' => (string)$cookie,
+                                       'value' => (string)$value,
+                                       'expire' => (int)$expire,
+                                       'path' => (string)$options['path'],
+                                       'domain' => (string)$options['domain'],
+                                       'secure' => (bool)$options['secure'],
+                                       'httpOnly' => (bool)$options['httpOnly'],
+                               ],
                                'exception' => new RuntimeException( 'Ignored post-send cookie' ),
                        ] );
                        return;
@@ -174,6 +172,19 @@ class WebResponse {
                $func = $options['raw'] ? 'setrawcookie' : 'setcookie';
 
                if ( Hooks::run( 'WebResponseSetCookie', [ &$name, &$value, &$expire, &$options ] ) ) {
+                       // Note: Don't try to move this earlier to reuse it for self::$disableForPostSend,
+                       // we need to use the altered values from the hook here. (T198525)
+                       $cookie = $options['prefix'] . $name;
+                       $data = [
+                               'name' => (string)$cookie,
+                               'value' => (string)$value,
+                               'expire' => (int)$expire,
+                               'path' => (string)$options['path'],
+                               'domain' => (string)$options['domain'],
+                               'secure' => (bool)$options['secure'],
+                               'httpOnly' => (bool)$options['httpOnly'],
+                       ];
+
                        // Per RFC 6265, key is name + domain + path
                        $key = "{$data['name']}\n{$data['domain']}\n{$data['path']}";