Fix CWE-614 when server is using HTTPS

- Details: https://cwe.mitre.org/data/definitions/614.html - When server is using HTTPS, set the secure flag on all cookies
craigk5n · Oct 15, 2021 · 980fae6 · 980fae6
1 parent d3f9e85
commit 980fae6
Show file tree

Hide file tree

Showing 10 changed files with 36 additions and 19 deletions.
diff --git a/admin.php b/admin.php
@@ -11,7 +11,7 @@
 if ( isset ( $_COOKIE['webcalendar_csscache'] ) )
   $webcalendar_csscache += $_COOKIE['webcalendar_csscache'];
 
-SetCookie ( 'webcalendar_csscache', $webcalendar_csscache );
+sendCookie ( 'webcalendar_csscache', $webcalendar_csscache );
 
 function save_pref ( $prefs, $src ) {
   global $error;

diff --git a/includes/classes/WebCalendar.php b/includes/classes/WebCalendar.php
@@ -569,7 +569,7 @@ function _initValidate() {
             if ( ! empty ( $login ) && $login != addslashes ( $login ) ) {
               // The following deletes the bad cookie.
               // So, the user just needs to reload.
-              SetCookie ( 'webcalendar_session', '', 0 );
+              sendCookie ( 'webcalendar_session', '', 0 );
               die_miserable_death ( 'Illegal characters in login <tt>'
                  . htmlentities ( $login )
                  . '</tt>. Press browser reload to clear bad cookie.' );

diff --git a/includes/common_admin_pref.php b/includes/common_admin_pref.php
@@ -7,7 +7,7 @@
 if ( isset ( $_COOKIE['webcalendar_csscache'] ) )
   $webcalendar_csscache += $_COOKIE['webcalendar_csscache'];
 
-SetCookie ( 'webcalendar_csscache', $webcalendar_csscache );
+sendCookie ( 'webcalendar_csscache', $webcalendar_csscache );
 
 $catStr = $color_sets = $currenttab = $datestyle_md = $datestyle_my = '';
 $datestyle_tk = $datestyle_ymd = $lang_list = $menu_theme_list = '';
@@ -333,4 +333,4 @@ function save_pref ( $prefs, $src ) {
   load_user_preferences ();
 }
 
-?>
+?>
diff --git a/includes/functions.php b/includes/functions.php
@@ -2624,7 +2624,7 @@ function get_last_view ( $clear=true ) {
     ? str_replace ( '&', '&amp;', $_COOKIE['webcalendar_last_view'] ) : '' );
 
   if ( $clear )
-    SetCookie ( 'webcalendar_last_view', '', 0 );
+    sendCookie ( 'webcalendar_last_view', '', 0 );
 
   return $val;
 }
@@ -5600,7 +5600,7 @@ function remember_this_view ( $view = false ) {
   if ( strstr ( $REQUEST_URI, 'friendly=' ) )
     return;
 
-  SetCookie ( 'webcalendar_last_view', $REQUEST_URI );
+  sendCookie ( 'webcalendar_last_view', $REQUEST_URI );
 
 }
 
@@ -6520,4 +6520,21 @@ function require_valid_referring_url ()
   }
 }
 
+/**
+  * Is the current connection using HTTPS rather than HTTP?
+  */
+function isSecure() {
+  return
+    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
+    || $_SERVER['SERVER_PORT'] == 443;
+}
+
+function sendCookie($name, $value, $expiration=0, $sensitive=true) {
+  $path = '';
+  $domain = '';
+  // If sensitive and HTTPS is supported, set secure to true
+  $secure = $sensitive && isSecure();
+  SetCookie ( $name, $value, $expiration, $path, $domain, $secure, false);
+}
+
 ?>
diff --git a/includes/init.php b/includes/init.php
@@ -236,7 +236,7 @@ function print_header( $includes = '', $HeadX = '', $BodyX = '',
       $webcalendar_csscache = $_COOKIE['webcalendar_csscache'];
     else {
       $webcalendar_csscache = 1;
-      SetCookie( 'webcalendar_csscache', $webcalendar_csscache );
+      sendCookie( 'webcalendar_csscache', $webcalendar_csscache );
     }
     $ret .= '
     <link href="css_cacher.php?login='

diff --git a/login-app.php b/login-app.php
@@ -29,14 +29,14 @@
 if ( ! empty ( $action ) && $action == 'logout' ) {
   $logout = true;
   $return_path = '';
-  SetCookie ( 'webcalendar_last_view', '', 0 );
-  SetCookie ( 'webcalendar_login', '', 0 );
+  sendCookie ( 'webcalendar_last_view', '', 0 );
+  sendCookie ( 'webcalendar_login', '', 0 );
 } else
 if ( empty ( $return_path ) ) {
   // See if a return path was set.
   $return_path = get_last_view();
   if ( ! empty ( $return_path ) )
-    SetCookie ( 'webcalendar_last_view', '', 0 );
+    sendCookie ( 'webcalendar_last_view', '', 0 );
 }
 
 $appStr = generate_application_name();

diff --git a/login.php b/login.php
@@ -56,8 +56,8 @@
 if (!empty($action) && $action == 'logout') {
   $logout = true;
   $return_path = '';
-  SetCookie('webcalendar_login', '', 0);
-  SetCookie('webcalendar_last_view', '', 0);
+  sendCookie('webcalendar_login', '', 0);
+  sendCookie('webcalendar_last_view', '', 0);
   $message = translate('You have been logged out.');
 } else
 if (empty($return_path)) {
@@ -114,7 +114,7 @@
       // If $remember, set login to expire in 365 days.
       $timeStr = (!empty($remember) && $remember == 'yes'
         ? time() + 31536000 : 0);
-      SetCookie('webcalendar_session', $encoded_login, $timeStr, $cookie_path);
+      sendCookie('webcalendar_session', $encoded_login, $timeStr, $cookie_path);
 
       // The cookie "webcalendar_login" is provided as a convenience to other
       // apps that may wish to know what was the last calendar login,
@@ -123,7 +123,7 @@
       // used to allow logins within this app. It is used to load user
       // preferences on the login page (before anyone has logged in)
       // if $REMEMBER_LAST_LOGIN is set to "Y" (in admin.php).
-      SetCookie('webcalendar_login', $login, $timeStr, $cookie_path);
+      sendCookie('webcalendar_login', $login, $timeStr, $cookie_path);
 
       if (!empty($GLOBALS['newUserUrl'])) {
         $url = $GLOBALS['newUserUrl'];
@@ -154,13 +154,13 @@
     //$error = "Start";
   }
   // Delete current user.
-  SetCookie('webcalendar_session', '', 0, $cookie_path);
+  sendCookie('webcalendar_session', '', 0, $cookie_path);
   // In older versions, the cookie path had no trailing slash and NS 4.78
   // thinks "path/" and "path" are different, so the line above does not
   // delete the "old" cookie. This prohibits the login. So we also delete the
   // cookie with the trailing slash removed.
   if (substr($cookie_path, -1) == '/') {
-    SetCookie('webcalendar_session', '', 0, substr($cookie_path, 0, -1));
+    sendCookie('webcalendar_session', '', 0, substr($cookie_path, 0, -1));
   }
 }
 echo send_doctype($appStr);

diff --git a/nulogin.php b/nulogin.php
@@ -67,7 +67,7 @@
 $encoded_login = encode_string ( $login . '|nonuser' );
 
 // set login to expire in 365 days
-SetCookie ( 'webcalendar_session', $encoded_login,
+sendCookie ( 'webcalendar_session', $encoded_login,
   ( ! empty ( $remember ) && $remember == 'yes' ?
   31536000 + time() : 0 ), $cookie_path );
 

diff --git a/pref.php b/pref.php
@@ -7,7 +7,7 @@
 if  ( isset ( $_COOKIE['webcalendar_csscache'] ) ) {
   $webcalendar_csscache += $_COOKIE['webcalendar_csscache'];
 }
-SetCookie ( 'webcalendar_csscache', $webcalendar_csscache );
+sendCookie ( 'webcalendar_csscache', $webcalendar_csscache );
 
 function save_pref( $prefs, $src) {
   global $prefuser;

diff --git a/ws/login.php b/ws/login.php
@@ -63,7 +63,7 @@
        . chr ( rand ( ord ( 'A' ), ord ( 'z' ) ) );
       $encoded_login = encode_string ( $login . '|'
        . crypt ( $password, $salt ) );
-      // SetCookie ( 'webcalendar_session', $encoded_login, 0, $cookie_path );
+      // sendCookie ( 'webcalendar_session', $encoded_login, 0, $cookie_path );
       $out .= '
   <cookieName>webcalendar_session</cookieName>
   <cookieValue>$encoded_login</cookieValue>' . ( $is_admin ? '