add report only csp policy and report endpoint

.gitignore

@@ -115,3 +115,5 @@ www/robots.txt
 
 tests/*.cache
 www/beanstalk.php
+
+*.log

vendor/composer/autoload_files.php

@@ -12,9 +12,9 @@
     '320cde22f66dd4f5d3fd621d3e88b98f' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
     'c964ee0ededf28c96ebd9db5099ef910' => $vendorDir . '/guzzlehttp/promises/src/functions_include.php',
     '6e3fae29631ef280660b3cdad06f25a8' => $vendorDir . '/symfony/deprecation-contracts/function.php',
-    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
     '6124b4c8570aa390c21fafd04a26c69f' => $vendorDir . '/myclabs/deep-copy/src/DeepCopy/deep_copy.php',
     '3109cb1a231dcd04bee1f9f620d46975' => $vendorDir . '/paragonie/sodium_compat/autoload.php',
     '2df68f9e79c919e2d88506611769ed2e' => $vendorDir . '/respect/stringifier/src/stringify.php',
     '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+    '37a3dc5111fe8f707ab4c132ef1dbc62' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
 );

vendor/composer/autoload_static.php

@@ -13,11 +13,11 @@ class ComposerStaticInit9c12fec4b6151122c0ac4f5652ab47b7
         '320cde22f66dd4f5d3fd621d3e88b98f' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
         'c964ee0ededf28c96ebd9db5099ef910' => __DIR__ . '/..' . '/guzzlehttp/promises/src/functions_include.php',
         '6e3fae29631ef280660b3cdad06f25a8' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
-        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
         '6124b4c8570aa390c21fafd04a26c69f' => __DIR__ . '/..' . '/myclabs/deep-copy/src/DeepCopy/deep_copy.php',
         '3109cb1a231dcd04bee1f9f620d46975' => __DIR__ . '/..' . '/paragonie/sodium_compat/autoload.php',
         '2df68f9e79c919e2d88506611769ed2e' => __DIR__ . '/..' . '/respect/stringifier/src/stringify.php',
         '0e6d7bf4a5811bfa5cf40c5ccd6fae6a' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+        '37a3dc5111fe8f707ab4c132ef1dbc62' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
     );
 
     public static $prefixLengthsPsr4 = array (

vendor/composer/installed.json

@@ -195,17 +195,17 @@
         },
         {
             "name": "guzzlehttp/guzzle",
-            "version": "7.4.2",
-            "version_normalized": "7.4.2.0",
+            "version": "7.4.3",
+            "version_normalized": "7.4.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/guzzle.git",
-                "reference": "ac1ec1cd9b5624694c3a40be801d94137afb12b4"
+                "reference": "74a8602c6faec9ef74b7a9391ac82c5e65b1cdab"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/ac1ec1cd9b5624694c3a40be801d94137afb12b4",
-                "reference": "ac1ec1cd9b5624694c3a40be801d94137afb12b4",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab",
+                "reference": "74a8602c6faec9ef74b7a9391ac82c5e65b1cdab",
                 "shasum": ""
             },
             "require": {
@@ -231,7 +231,7 @@
                 "ext-intl": "Required for Internationalized Domain Name (IDN) support",
                 "psr/log": "Required for using the Log middleware"
             },
-            "time": "2022-03-20T14:16:28+00:00",
+            "time": "2022-05-25T13:24:33+00:00",
             "type": "library",
             "extra": {
                 "branch-alias": {
@@ -302,7 +302,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/guzzle/issues",
-                "source": "https://github.com/guzzle/guzzle/tree/7.4.2"
+                "source": "https://github.com/guzzle/guzzle/tree/7.4.3"
             },
             "funding": [
                 {

vendor/composer/installed.php

@@ -1,22 +1,22 @@
 <?php return array(
     'root' => array(
-        'pretty_version' => '1.0.0+no-version-set',
-        'version' => '1.0.0.0',
+        'pretty_version' => 'dev-master',
+        'version' => 'dev-master',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
-        'reference' => NULL,
+        'reference' => 'ad74ee6d176e6afaef05078abb98f8fb1b7cb0f7',
         'name' => '__root__',
         'dev' => true,
     ),
     'versions' => array(
         '__root__' => array(
-            'pretty_version' => '1.0.0+no-version-set',
-            'version' => '1.0.0.0',
+            'pretty_version' => 'dev-master',
+            'version' => 'dev-master',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
-            'reference' => NULL,
+            'reference' => 'ad74ee6d176e6afaef05078abb98f8fb1b7cb0f7',
             'dev_requirement' => false,
         ),
         'braintree/braintree_php' => array(
@@ -47,12 +47,12 @@
             'dev_requirement' => false,
         ),
         'guzzlehttp/guzzle' => array(
-            'pretty_version' => '7.4.2',
-            'version' => '7.4.2.0',
+            'pretty_version' => '7.4.3',
+            'version' => '7.4.3.0',
             'type' => 'library',
             'install_path' => __DIR__ . '/../guzzlehttp/guzzle',
             'aliases' => array(),
-            'reference' => 'ac1ec1cd9b5624694c3a40be801d94137afb12b4',
+            'reference' => '74a8602c6faec9ef74b7a9391ac82c5e65b1cdab',
             'dev_requirement' => false,
         ),
         'guzzlehttp/promises' => array(

vendor/guzzlehttp/guzzle/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 Please refer to [UPGRADING](UPGRADING.md) guide for upgrading to a major version.
 
+## 7.4.3 - 2022-05-25
+
+* Fix cross-domain cookie leakage
+
 ## 7.4.2 - 2022-03-20
 
 ### Fixed

vendor/guzzlehttp/guzzle/README.md

@@ -42,8 +42,8 @@ $promise->wait();
 
 We use GitHub issues only to discuss bugs and new features. For support please refer to:
 
-- [Documentation](http://guzzlephp.org/)
-- [Stack Overflow](http://stackoverflow.com/questions/tagged/guzzle)
+- [Documentation](https://docs.guzzlephp.org)
+- [Stack Overflow](https://stackoverflow.com/questions/tagged/guzzle)
 - [#guzzle](https://app.slack.com/client/T0D2S9JCT/CE6UAAKL4) channel on [PHP-HTTP Slack](http://slack.httplug.io/)
 - [Gitter](https://gitter.im/guzzle/guzzle)
 
@@ -60,13 +60,13 @@ composer require guzzlehttp/guzzle
 
 ## Version Guidance
 
-| Version | Status     | Packagist           | Namespace    | Repo                | Docs                | PSR-7 | PHP Version |
-|---------|------------|---------------------|--------------|---------------------|---------------------|-------|-------------|
-| 3.x     | EOL        | `guzzle/guzzle`     | `Guzzle`     | [v3][guzzle-3-repo] | [v3][guzzle-3-docs] | No    | >= 5.3.3    |
-| 4.x     | EOL        | `guzzlehttp/guzzle` | `GuzzleHttp` | [v4][guzzle-4-repo] | N/A                 | No    | >= 5.4      |
-| 5.x     | EOL        | `guzzlehttp/guzzle` | `GuzzleHttp` | [v5][guzzle-5-repo] | [v5][guzzle-5-docs] | No    | >= 5.4      |
-| 6.x     | Security fixes | `guzzlehttp/guzzle` | `GuzzleHttp` | [v6][guzzle-6-repo] | [v6][guzzle-6-docs] | Yes   | >= 5.5      |
-| 7.x     | Latest     | `guzzlehttp/guzzle` | `GuzzleHttp` | [v7][guzzle-7-repo] | [v7][guzzle-7-docs] | Yes   | >= 7.2      |
+| Version | Status         | Packagist           | Namespace    | Repo                | Docs                | PSR-7 | PHP Version  |
+|---------|----------------|---------------------|--------------|---------------------|---------------------|-------|--------------|
+| 3.x     | EOL            | `guzzle/guzzle`     | `Guzzle`     | [v3][guzzle-3-repo] | [v3][guzzle-3-docs] | No    | >=5.3.3,<7.0 |
+| 4.x     | EOL            | `guzzlehttp/guzzle` | `GuzzleHttp` | [v4][guzzle-4-repo] | N/A                 | No    | >=5.4,<7.0   |
+| 5.x     | EOL            | `guzzlehttp/guzzle` | `GuzzleHttp` | [v5][guzzle-5-repo] | [v5][guzzle-5-docs] | No    | >=5.4,<7.4   |
+| 6.x     | Security fixes | `guzzlehttp/guzzle` | `GuzzleHttp` | [v6][guzzle-6-repo] | [v6][guzzle-6-docs] | Yes   | >=5.5,<8.0   |
+| 7.x     | Latest         | `guzzlehttp/guzzle` | `GuzzleHttp` | [v7][guzzle-7-repo] | [v7][guzzle-7-docs] | Yes   | >=7.2.5,<8.2 |
 
 [guzzle-3-repo]: https://github.com/guzzle/guzzle3
 [guzzle-4-repo]: https://github.com/guzzle/guzzle/tree/4.x

vendor/guzzlehttp/guzzle/src/Cookie/CookieJar.php

@@ -241,6 +241,11 @@ public function extractCookies(RequestInterface $request, ResponseInterface $res
                 if (0 !== \strpos($sc->getPath(), '/')) {
                     $sc->setPath($this->getCookiePathFromRequest($request));
                 }
+                if (!$sc->matchesDomain($request->getUri()->getHost())) {
+                    continue;
+                }
+                // Note: At this point `$sc->getDomain()` being a public suffix should
+                // be rejected, but we don't want to pull in the full PSL dependency.
                 $this->setCookie($sc);
             }
         }

vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php

@@ -379,10 +379,12 @@ public function matchesDomain(string $domain): bool
 
         // Remove the leading '.' as per spec in RFC 6265.
         // https://tools.ietf.org/html/rfc6265#section-5.2.3
-        $cookieDomain = \ltrim($cookieDomain, '.');
+        $cookieDomain = \ltrim(\strtolower($cookieDomain), '.');
+
+        $domain = \strtolower($domain);
 
         // Domain not set or exact match.
-        if (!$cookieDomain || !\strcasecmp($domain, $cookieDomain)) {
+        if ('' === $cookieDomain || $domain === $cookieDomain) {
             return true;
         }
 

www/common.inc

@@ -49,6 +49,20 @@ $request_context = new RequestContext($_REQUEST, $_SERVER);
 
 // Disable caching by default
 header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0", true);
+//add csp report only
+header("Content-Security-Policy-Report-Only: default-src 'self'; 
+script-src 'report-sample' 'self' 'unsafe-inline' https://g.3gl.net https://js.braintreegateway.com https://ssl.google-analytics.com;
+style-src 'report-sample' 'self' 'unsafe-inline' https://assets.braintreegateway.com;
+object-src 'none';
+base-uri 'self';
+connect-src 'self' https://*.braintree-api.com https://r.3gl.net;
+font-src 'self';
+frame-src 'self' https://assets.braintreegateway.com;
+img-src 'self' data: https://assets.braintreegateway.com https://ssl.google-analytics.com https://webpagetest.org;
+manifest-src 'self';
+media-src 'self';
+report-uri /csp-violation-report
+");
 
 if (GetSetting("serverID")) {
   header('X-WPT-Server: ' . GetSetting("serverID"));
@@ -300,17 +314,17 @@ if (isset($_REQUEST['color'])) {
 }
 
 if ($supportsSaml && !$supportsCPAuth) {
-  $request_context->setUser($saml_user);
+    $request_context->setUser($saml_user);
 }
 
 /**
  * Load app specific middleware
  */
 if ($supportsCPAuth) {
-  require_once __DIR__ . '/common/AttachClient.php';
-  require_once __DIR__ . '/common/AttachUser.php';
-  require_once __DIR__ . '/common/AttachSignupClient.php';
-  require_once __DIR__ . '/common/CheckCSRF.php';
+    require_once __DIR__ . '/common/AttachClient.php';
+    require_once __DIR__ . '/common/AttachUser.php';
+    require_once __DIR__ . '/common/AttachSignupClient.php';
+    require_once __DIR__ . '/common/CheckCSRF.php';
 }
 
 // Load the test-specific data
@@ -441,4 +455,3 @@ if (array_key_exists('medianMetric', $_REQUEST)) {
 if (is_file('./settings/custom_common.inc.php')) {
     include('./settings/custom_common.inc.php');
 }
-

www/common/AttachUser.php

@@ -36,6 +36,7 @@
             $user->setPaid($data['activeContact']['isWptPaidUser']);
             $user->setVerified($data['activeContact']['isWptAccountVerified']);
             $user->setOwnerId($data['levelSummary']['levelId']);
+            $user->setEnterpriseClient(!!$data['levelSummary']['isWptEnterpriseClient']);
             $owner = $user->getOwnerId();
         } catch (UnauthorizedException $e) {
             error_log($e->getMessage());

www/common/CheckCSRF.php

@@ -6,6 +6,11 @@
 use WebPageTest\Exception\ClientException;
 
 (function (RequestContext $request) {
+    $request_method = $request->getRequestMethod();
+    if ($request_method == 'GET') {
+        unset($_SESSION['csrf_token']);
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(35));
+    }
   /**
    * Gate this for account stuff only, for now
    */
@@ -14,15 +19,11 @@
         str_contains($request->getRequestUri(), "signup") ||
         str_contains($request->getRequestUri(), "logout")
     ) {
-        $request_method = $request->getRequestMethod();
         if ($request_method == 'POST') {
-            $csrf_token = filter_input(INPUT_POST, 'csrf_token', FILTER_SANITIZE_STRING);
+            $csrf_token = $_POST['csrf_token'];
             if ($csrf_token !== $_SESSION['csrf_token']) {
                 throw new ClientException("Invalid CSRF Token", $request->getRequestUri());
             }
-        } elseif ($request_method == 'GET') {
-            unset($_SESSION['csrf_token']);
-            $_SESSION['csrf_token'] = bin2hex(random_bytes(35));
         }
     }
 })($request_context);

www/cpauth/account.php

@@ -92,6 +92,7 @@
 
     $is_paid = $request_context->getUser()->isPaid();
     $is_verified = $request_context->getUser()->isVerified();
+    $is_wpt_enterprise = $request_context->getUser()->isWptEnterpriseClient();
     $user_id = $request_context->getUser()->getUserId();
     $user_contact_info = $request_context->getClient()->getUserContactInfo($user_id);
     $user_email = $request_context->getUser()->getEmail();
@@ -115,7 +116,11 @@
     $country_list = Util::getCountryList();
 
     if ($is_paid) {
-        $billing_info = $request_context->getClient()->getPaidAccountPageInfo();
+        if ($is_wpt_enterprise) {
+            $billing_info = $request_context->getClient()->getPaidEnterpriseAccountPageInfo();
+        } else {
+            $billing_info = $request_context->getClient()->getPaidAccountPageInfo();
+        }
         $customer_details = $billing_info['braintreeCustomerDetails'];
         $billing_frequency = $customer_details['billingFrequency'] == 12 ? "Annually" : "Monthly";
 
@@ -129,6 +134,7 @@
             $billing_info['plan_renewal'] = $plan_renewal_date->format('m/d/Y');
         }
 
+        $billing_info['is_wpt_enterprise'] = $is_wpt_enterprise;
         $billing_info['is_canceled'] = str_contains($customer_details['status'], 'CANCEL');
         $billing_info['billing_frequency'] = $billing_frequency;
         $client_token = $billing_info['braintreeClientToken'];

www/cpauth/signup.php

@@ -50,6 +50,7 @@
                 $_SESSION['signup-state'] = $body->state;
                 $_SESSION['signup-zipcode'] = $body->zipcode;
 
+                $host = Util::getSetting('host');
                 $redirect_uri = SignupHandler::postStepThree($request_context, $body);
 
                 // unset values
@@ -58,7 +59,7 @@
                 unset($_SESSION['signup-company-name']);
                 unset($_SESSION['signup-email']);
                 unset($_SESSION['signup-password']);
-                unset($_SESSION['signup-plan']);
+                setcookie('signup-plan', "", time() - 3600, '/', $host);
                 unset($_SESSION['signup-street-address']);
                 unset($_SESSION['signup-city']);
                 unset($_SESSION['signup-state']);
@@ -72,8 +73,8 @@
                 $body = SignupHandler::validatePostStepOne();
                 $redirect_uri = SignupHandler::postStepOne($request_context);
 
-                unset($_SESSION['signup-plan']);
-                $_SESSION['signup-plan'] = $body->plan;
+                $host = Util::getSetting('host');
+                setcookie('signup-plan', $body->plan, time() + (5 * 60), "/", $host);
 
                 header("Location: {$redirect_uri}");
                 break;
@@ -88,8 +89,8 @@
     );
 
     $signup_step = (int) filter_input(INPUT_GET, 'step', FILTER_SANITIZE_NUMBER_INT);
-    $plan = $_SESSION['signup-plan'] ?? null;
-    $is_plan_free = is_null($plan) || $plan == 'free';
+    $plan = $_COOKIE['signup-plan'] ?? 'free';
+    $is_plan_free = $plan == 'free';
 
     $auth_token = $_SESSION['signup-auth-token'] ?? null;
     if (is_null($auth_token)) {