Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-hwxq-4c5f-m4v2
* Force session to use cookies and prevent JS scripts to access to them

* Prevent JS scripts to be able to access rememberme cookie
  • Loading branch information
cedric-anne committed Sep 15, 2021
1 parent 93750ea commit 7e1208c
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 18 deletions.
8 changes: 1 addition & 7 deletions front/logout.php
Expand Up @@ -76,13 +76,7 @@
Session::destroy();

//Remove cookie to allow new login
$cookie_name = session_name() . '_rememberme';
$cookie_path = ini_get('session.cookie_path');

if (isset($_COOKIE[$cookie_name])) {
setcookie($cookie_name, '', time() - 3600, $cookie_path);
unset($_COOKIE[$cookie_name]);
}
Auth::setRememberMeCookie('');

// Redirect to the login-page
Html::redirect($CFG_GLPI["root_doc"]."/index.php".$toADD);
43 changes: 32 additions & 11 deletions inc/auth.class.php
Expand Up @@ -591,8 +591,7 @@ function getAlternateAuthSystemsUserLogin($authtype = 0) {
}
break;
case self::COOKIE:
$cookie_name = session_name() . '_rememberme';
$cookie_path = ini_get('session.cookie_path');
$cookie_name = session_name() . '_rememberme';

if ($CFG_GLPI["login_remember_time"]) {
$data = json_decode($_COOKIE[$cookie_name], true);
Expand All @@ -615,8 +614,7 @@ function getAlternateAuthSystemsUserLogin($authtype = 0) {
}

//Remove cookie to allow new login
setcookie($cookie_name, '', time() - 3600, $cookie_path);
unset($_COOKIE[$cookie_name]);
Auth::setRememberMeCookie('');
break;
}
return false;
Expand Down Expand Up @@ -971,19 +969,13 @@ function login($login_name, $login_password, $noauto = false, $remember_me = fal
$token = $this->user->getAuthToken('cookie_token', true);

if ($token) {
//Cookie name (Allow multiple GLPI)
$cookie_name = session_name() . '_rememberme';
//Cookie session path
$cookie_path = ini_get('session.cookie_path');

$data = json_encode([
$this->user->fields['id'],
$token,
]);

//Send cookie to browser
setcookie($cookie_name, $data, time() + $CFG_GLPI['login_remember_time'], $cookie_path);
$_COOKIE[$cookie_name] = $data;
Auth::setRememberMeCookie($data);
}
}

Expand Down Expand Up @@ -1725,4 +1717,33 @@ static function dropdownLogin() {
static function getIcon() {
return "fas fa-sign-in-alt";
}

/**
* Defines "rememberme" cookie.
*
* @param string $cookie_value
*
* @return void
*/
public static function setRememberMeCookie(string $cookie_value): void {
global $CFG_GLPI;

$cookie_name = session_name() . '_rememberme';
$cookie_lifetime = empty($cookie_value) ? time() - 3600 : time() + $CFG_GLPI['login_remember_time'];
$cookie_path = ini_get('session.cookie_path');
$cookie_domain = ini_get('session.cookie_domain');
$cookie_secure = (bool)ini_get('session.cookie_secure');

if (empty($cookie_value) && !isset($_COOKIE[$cookie_name])) {
return;
}

setcookie($cookie_name, $cookie_value, $cookie_lifetime, $cookie_path, $cookie_domain, $cookie_secure, true);

if (empty($cookie_value)) {
unset($_COOKIE[$cookie_name]);
} else {
$_COOKIE[$cookie_name] = $cookie_value;
}
}
}
5 changes: 5 additions & 0 deletions inc/session.class.php
Expand Up @@ -203,7 +203,12 @@ static function setPath() {
static function start() {

if (session_status() === PHP_SESSION_NONE) {
// Force session to use cookies and prevent JS scripts to access to them
ini_set('session.cookie_httponly', '1');
ini_set('session.use_only_cookies', '1');

session_name("glpi_".md5(realpath(GLPI_ROOT)));

@session_start();
}
// Define current time for sync of action timing
Expand Down

0 comments on commit 7e1208c

Please sign in to comment.