[BUG#AC-2441] - Setting an invalid Cookie domain crash the website

Author: faizan-shk

dev/tests/integration/testsuite/Magento/Cookie/Model/Config/Backend/DomainTest.php

@@ -6,13 +6,15 @@
 namespace Magento\Cookie\Model\Config\Backend;
 
 use Magento\Framework\Exception\LocalizedException;
+use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\TestCase;
 
 /**
  * Test \Magento\Cookie\Model\Config\Backend\Domain
  *
  * @magentoAppArea adminhtml
  */
-class DomainTest extends \PHPUnit\Framework\TestCase
+class DomainTest extends TestCase
 {
     /**
      * @param string $value
@@ -22,9 +24,9 @@ class DomainTest extends \PHPUnit\Framework\TestCase
      */
     public function testBeforeSave($value, $exceptionMessage = null)
     {
-        /** @var $domain \Magento\Cookie\Model\Config\Backend\Domain */
-        $domain = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
-            \Magento\Cookie\Model\Config\Backend\Domain::class
+        /** @var $domain Domain */
+        $domain = Bootstrap::getObjectManager()->create(
+            Domain::class
         );
         $domain->setValue($value);
         $domain->setPath('path');
@@ -45,18 +47,19 @@ public function testBeforeSave($value, $exceptionMessage = null)
     /**
      * @return array
      */
-    public function beforeSaveDataProvider()
+    public function beforeSaveDataProvider(): array
     {
         return [
-            'not string' => [['array'], 'Invalid domain name: must be a string'],
-            'invalid hostname' => [
+            'notString' => [['array'], 'Invalid domain name: must be a string'],
+            'invalidHostname' => [
                 'http://',
                 'Invalid domain name: The input does not match the expected structure for a DNS hostname; '
                 . 'The input does not appear to be a valid URI hostname; '
                 . 'The input does not appear to be a valid local network name',
             ],
-            'valid hostname' => ['hostname.com'],
-            'empty string' => [''],
+            'validHostname' => ['hostname.com'],
+            'emptyString' => [''],
+            'invalidCharacter' => ['hostname,com', 'Invalid domain name: invalid character in cookie domain'],
         ];
     }
 }

lib/internal/Magento/Framework/Session/Config/Validator/CookieDomainValidator.php

@@ -6,28 +6,43 @@
 
 namespace Magento\Framework\Session\Config\Validator;
 
+use Laminas\Validator\Hostname;
+use Magento\Framework\Validator\AbstractValidator;
+
 /**
  * Session cookie domain validator
  */
-class CookieDomainValidator extends \Magento\Framework\Validator\AbstractValidator
+class CookieDomainValidator extends AbstractValidator
 {
     /**
      * @inheritDoc
      */
     public function isValid($value)
     {
         $this->_clearMessages();
+
         if (!is_string($value)) {
             $this->_addMessages(['must be a string']);
+
             return false;
         }
 
-        $validator = new \Laminas\Validator\Hostname(\Laminas\Validator\Hostname::ALLOW_ALL);
+        //Hostname validator allows [;,] and returns the validator as true but these are unacceptable cookie domain
+        //characters hence need explicit validation for the same
+        if (preg_match('/[;,]/', $value)) {
+            $this->_addMessages(['invalid character in cookie domain']);
+
+            return false;
+        }
+
+        $validator = new Hostname(Hostname::ALLOW_ALL);
 
         if (!empty($value) && !$validator->isValid($value)) {
             $this->_addMessages($validator->getMessages());
+
             return false;
         }
+
         return true;
     }
 }