From f95bd0df6e143ea13c9c831c8d12a2044e26216d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?= Date: Sat, 31 Jul 2021 15:23:20 +0200 Subject: [PATCH] Fix #316 CSRF security issue set cookie samesite to strict --- CHANGES.md | 1 + Warehouse.php | 41 +++++++++++++++++++++++++++++++---------- 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 312659ddd..85023b178 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -16,6 +16,7 @@ Changes in 7.9.2 ---------------- - Fix SQL error when single quote in Course Title in InputFinalGrades.php - Fix include Semester course periods in the Schedule table in Schedule.inc.php +- Fix #316 CSRF security issue set cookie samesite to strict, thanks to @huntrdev Changes in 7.9.1 ---------------- diff --git a/Warehouse.php b/Warehouse.php index 0effc2640..090f5a6b9 100644 --- a/Warehouse.php +++ b/Warehouse.php @@ -109,19 +109,40 @@ */ session_name( 'RosarioSIS' ); -// See http://php.net/manual/en/session.security.php. +// @link http://php.net/manual/en/session.security.php $cookie_path = dirname( $_SERVER['SCRIPT_NAME'] ) === DIRECTORY_SEPARATOR ? '/' : dirname( $_SERVER['SCRIPT_NAME'] ) . '/'; -session_set_cookie_params( - 0, - $cookie_path, - '', - // Cookie secure flag for https. - ( ( ! empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) || - ( isset( $_SERVER['SERVER_PORT'] ) && $_SERVER['SERVER_PORT'] == 443 ) ), - true -); +// Fix #316 CSRF security issue set cookie samesite to strict. +// @link https://www.php.net/manual/en/function.session-set-cookie-params.php#125072 +$cookie_samesite = 'Strict'; + +// Cookie secure flag for https. +$cookie_https_only = ( ! empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) || + ( isset( $_SERVER['SERVER_PORT'] ) && $_SERVER['SERVER_PORT'] == 443 ); + +if ( PHP_VERSION_ID < 70300 ) +{ + // PHP version < 7.3. + session_set_cookie_params( + 0, + $cookie_path . '; samesite=' . $cookie_samesite, + '', + $cookie_https_only, + true + ); +} +else +{ + session_set_cookie_params( array( + 'lifetime' => 0, + 'path' => $cookie_path, + 'domain' => '', + 'secure' => $cookie_https_only, + 'httponly' => true, + 'samesite' => $cookie_samesite, + ) ); +} session_cache_limiter( 'nocache' );