tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Cookies set to a value other than NULL (effectively unsetting the cookie) will now use the httpOnly parameter by default for better XSS protection (from r101045)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@101046 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sean Harvey 2010-03-15 05:28:40 +00:00 committed by Sam Minnee
parent 5fc298cf1e
commit 470082d12d
3 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
core/Cookie.php
View File

@ -22,15 +22,16 @@ class Cookie {
if(!headers_sent($file, $line)) { if(!headers_sent($file, $line)) {
$expiry = $expiryDays > 0 ? time()+(86400*$expiryDays) : 0; $expiry = $expiryDays > 0 ? time()+(86400*$expiryDays) : 0;
$path = ($path) ? $path : Director::baseURL(); $path = ($path) ? $path : Director::baseURL();
// Versions of PHP prior to 5.2 do not support the $httpOnly value // Versions of PHP prior to 5.2 do not support the $httpOnly value
if(version_compare(phpversion(), 5.2, '<')) if(version_compare(phpversion(), 5.2, '<')) {
setcookie($name, $value, $expiry, $path, $domain, $secure); setcookie($name, $value, $expiry, $path, $domain, $secure);
else } else {
setcookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly); setcookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
}
} else { } else {
if(self::$report_errors) user_error("Cookie '$name' can't be set. The site started outputting was content at line $line in $file", E_USER_WARNING); if(self::$report_errors) user_error("Cookie '$name' can't be set. The site started outputting was content at line $line in $file", E_USER_WARNING);
} }
$_COOKIE[$name] = $value;
} }
/** /**
@ -54,4 +55,4 @@ class Cookie {
} }
} }
?> ?>

2
core/control/Controller.php
View File

@ -81,7 +81,7 @@ class Controller extends RequestHandler {
if(Session::get('loggedInAs') && Security::database_is_ready()) { if(Session::get('loggedInAs') && Security::database_is_ready()) {
$member = Member::currentUser(); $member = Member::currentUser();
if($member) { if($member) {
if(!headers_sent()) Cookie::set("PastMember", true); Cookie::set("PastMember", true, 90, null, null, false, true);
DB::query("UPDATE \"Member\" SET \"LastVisited\" = " . DB::getConn()->now() . " WHERE \"ID\" = $member->ID", null); DB::query("UPDATE \"Member\" SET \"LastVisited\" = " . DB::getConn()->now() . " WHERE \"ID\" = $member->ID", null);
} }
} }

5
security/Member.php
View File

@ -312,7 +312,6 @@ class Member extends DataObject {
if($remember) { if($remember) {
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
$this->RememberLoginToken = $token; $this->RememberLoginToken = $token;
// Set cookie (with HTTPOnly flag if running on PHP 5.2 or newer)
Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true); Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
} else { } else {
$this->RememberLoginToken = null; $this->RememberLoginToken = null;
@ -378,11 +377,11 @@ class Member extends DataObject {
self::session_regenerate_id(); self::session_regenerate_id();
Session::set("loggedInAs", $member->ID); Session::set("loggedInAs", $member->ID);
// This lets apache rules detect whether the user has logged in // This lets apache rules detect whether the user has logged in
if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0); if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0, null, null, false, true);
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID)); $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
$member->RememberLoginToken = $token; $member->RememberLoginToken = $token;
Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, null, true); Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
$member->NumVisit++; $member->NumVisit++;
$member->write(); $member->write();