From 7e1208c9108c34710407edd8fe5199c6a8a414bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Anne?= Date: Wed, 15 Sep 2021 09:56:54 +0200 Subject: [PATCH] Merge pull request from GHSA-hwxq-4c5f-m4v2 * Force session to use cookies and prevent JS scripts to access to them * Prevent JS scripts to be able to access rememberme cookie --- front/logout.php | 8 +------- inc/auth.class.php | 43 ++++++++++++++++++++++++++++++++----------- inc/session.class.php | 5 +++++ 3 files changed, 38 insertions(+), 18 deletions(-) diff --git a/front/logout.php b/front/logout.php index 4f2cc443149..889c94910f4 100644 --- a/front/logout.php +++ b/front/logout.php @@ -76,13 +76,7 @@ Session::destroy(); //Remove cookie to allow new login -$cookie_name = session_name() . '_rememberme'; -$cookie_path = ini_get('session.cookie_path'); - -if (isset($_COOKIE[$cookie_name])) { - setcookie($cookie_name, '', time() - 3600, $cookie_path); - unset($_COOKIE[$cookie_name]); -} +Auth::setRememberMeCookie(''); // Redirect to the login-page Html::redirect($CFG_GLPI["root_doc"]."/index.php".$toADD); diff --git a/inc/auth.class.php b/inc/auth.class.php index b15bfb6608b..f8e53dd2a4d 100644 --- a/inc/auth.class.php +++ b/inc/auth.class.php @@ -591,8 +591,7 @@ function getAlternateAuthSystemsUserLogin($authtype = 0) { } break; case self::COOKIE: - $cookie_name = session_name() . '_rememberme'; - $cookie_path = ini_get('session.cookie_path'); + $cookie_name = session_name() . '_rememberme'; if ($CFG_GLPI["login_remember_time"]) { $data = json_decode($_COOKIE[$cookie_name], true); @@ -615,8 +614,7 @@ function getAlternateAuthSystemsUserLogin($authtype = 0) { } //Remove cookie to allow new login - setcookie($cookie_name, '', time() - 3600, $cookie_path); - unset($_COOKIE[$cookie_name]); + Auth::setRememberMeCookie(''); break; } return false; @@ -971,19 +969,13 @@ function login($login_name, $login_password, $noauto = false, $remember_me = fal $token = $this->user->getAuthToken('cookie_token', true); if ($token) { - //Cookie name (Allow multiple GLPI) - $cookie_name = session_name() . '_rememberme'; - //Cookie session path - $cookie_path = ini_get('session.cookie_path'); - $data = json_encode([ $this->user->fields['id'], $token, ]); //Send cookie to browser - setcookie($cookie_name, $data, time() + $CFG_GLPI['login_remember_time'], $cookie_path); - $_COOKIE[$cookie_name] = $data; + Auth::setRememberMeCookie($data); } } @@ -1725,4 +1717,33 @@ static function dropdownLogin() { static function getIcon() { return "fas fa-sign-in-alt"; } + + /** + * Defines "rememberme" cookie. + * + * @param string $cookie_value + * + * @return void + */ + public static function setRememberMeCookie(string $cookie_value): void { + global $CFG_GLPI; + + $cookie_name = session_name() . '_rememberme'; + $cookie_lifetime = empty($cookie_value) ? time() - 3600 : time() + $CFG_GLPI['login_remember_time']; + $cookie_path = ini_get('session.cookie_path'); + $cookie_domain = ini_get('session.cookie_domain'); + $cookie_secure = (bool)ini_get('session.cookie_secure'); + + if (empty($cookie_value) && !isset($_COOKIE[$cookie_name])) { + return; + } + + setcookie($cookie_name, $cookie_value, $cookie_lifetime, $cookie_path, $cookie_domain, $cookie_secure, true); + + if (empty($cookie_value)) { + unset($_COOKIE[$cookie_name]); + } else { + $_COOKIE[$cookie_name] = $cookie_value; + } + } } diff --git a/inc/session.class.php b/inc/session.class.php index 3c1da8bc659..1a9c6d38e60 100644 --- a/inc/session.class.php +++ b/inc/session.class.php @@ -203,7 +203,12 @@ static function setPath() { static function start() { if (session_status() === PHP_SESSION_NONE) { + // Force session to use cookies and prevent JS scripts to access to them + ini_set('session.cookie_httponly', '1'); + ini_set('session.use_only_cookies', '1'); + session_name("glpi_".md5(realpath(GLPI_ROOT))); + @session_start(); } // Define current time for sync of action timing