From 34fb2f3e6b84fdc12668d296a998e69abcf02518 Mon Sep 17 00:00:00 2001 From: azett Date: Sat, 1 Oct 2022 14:07:54 +0200 Subject: [PATCH] HttpOnly flag for session cookie to prevent possible XSS - thx @melbinkm! --- defaults.php | 1 + fp-includes/core/core.cookie.php | 18 +++++++++------- fp-includes/core/core.session.php | 4 ++-- fp-includes/core/core.users.php | 8 +++---- fp-includes/core/core.wp-pluggable-funcs.php | 22 ++++++++++---------- 5 files changed, 28 insertions(+), 25 deletions(-) diff --git a/defaults.php b/defaults.php index e6e066b6..81eea9e7 100755 --- a/defaults.php +++ b/defaults.php @@ -121,6 +121,7 @@ $serverport = "false"; // Unterstützung für Apache und IIS ini_set('session.cookie_secure', 1); +ini_set('session.cookie_httponly', 1); if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) { $serverport = "https://"; } else { diff --git a/fp-includes/core/core.cookie.php b/fp-includes/core/core.cookie.php index dd99493c..aadb6176 100644 --- a/fp-includes/core/core.cookie.php +++ b/fp-includes/core/core.cookie.php @@ -23,6 +23,8 @@ function cookie_setup() { define('COOKIE_DOMAIN', false); if (!defined('COOKIE_SECURE')) define('COOKIE_SECURE', true); + if (!defined('COOKIE_HTTPONLY')) + define('COOKIE_HTTPONLY', true); } if (!function_exists('wp_get_cookie_login')) : @@ -62,20 +64,20 @@ function cookie_set($username, $password, $already_md5 = false, $home = '', $sit else $expire = 0; - setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); if ($cookiepath != $sitecookiepath) { - setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); } } function cookie_clear() { - setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); } if (!function_exists('wp_login')) : diff --git a/fp-includes/core/core.session.php b/fp-includes/core/core.session.php index 7a428e26..87904424 100755 --- a/fp-includes/core/core.session.php +++ b/fp-includes/core/core.session.php @@ -5,7 +5,7 @@ function sess_setup() { session_save_path(SESSION_PATH); session_name(SESS_COOKIE); - setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); session_start(); } @@ -32,7 +32,7 @@ function sess_get($key) { function sess_close() { unset($_SESSION); if (isset($_COOKIE [session_name()])) { - setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE); + setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE, COOKIE_HTTPONLY); session_set_cookie_params(-42000); } session_destroy(); diff --git a/fp-includes/core/core.users.php b/fp-includes/core/core.users.php index 82d61d62..032a95cc 100755 --- a/fp-includes/core/core.users.php +++ b/fp-includes/core/core.users.php @@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) { if ($loggedin) { // session_regenerate_id(); $expire = time() + 31536000; - setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); } return $loggedin; @@ -76,8 +76,8 @@ function user_logout() { if (user_loggedin()) { - setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); - setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); + setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY); } $loggedin = false; diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php index 815e0207..45941c16 100755 --- a/fp-includes/core/core.wp-pluggable-funcs.php +++ b/fp-includes/core/core.wp-pluggable-funcs.php @@ -6,7 +6,7 @@ */ function _get_nextprev_link($nextprev) { global $fpdb; - $q = & $fpdb->getQuery(); + $q = &$fpdb->getQuery(); list ($caption, $id) = call_user_func(array( &$q, @@ -42,7 +42,7 @@ function _get_nextprev_link($nextprev) { function get_nextpage_link() { global $fpdb; - $q = & $fpdb->getQuery(); + $q = &$fpdb->getQuery(); $a = _get_nextprev_link('NextPage'); @@ -59,7 +59,7 @@ function get_nextpage_link() { function get_prevpage_link() { global $fpdb; - $q = & $fpdb->getQuery(); + $q = &$fpdb->getQuery(); $a = _get_nextprev_link('PrevPage'); @@ -292,12 +292,12 @@ function wp_setcookie($username, $password, $already_md5 = false, $home = '', $s $cookiehash = md5($siteurl); } - setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE); - setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE); + setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY); if ($cookiepath != $sitecookiepath) { - setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE); - setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE); + setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY); } } endif; @@ -305,10 +305,10 @@ function wp_setcookie($username, $password, $already_md5 = false, $home = '', $s if (!function_exists('wp_clearcookie')) : function wp_clearcookie() { - setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE); - setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE); - setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE); - setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE); + setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY); + setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY); } endif;