From 0286ab3513ade8681a7172c78440a81059435e22 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 24 Mar 2021 13:26:50 +0200
Subject: [ci skip] Add SameSite=Strict to CSRF cookie

---
 system/core/Security.php | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index e1dc2a92f..f6b0407f8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -272,15 +272,35 @@ class CI_Security {
 			return FALSE;
 		}
 
-		setcookie(
-			$this->_csrf_cookie_name,
-			$this->_csrf_hash,
-			$expire,
-			config_item('cookie_path'),
-			config_item('cookie_domain'),
-			$secure_cookie,
-			config_item('cookie_httponly')
-		);
+		if (is_php('7.3'))
+		{
+			setcookie(
+				$this->_csrf_cookie_name,
+				$this->_csrf_hash,
+				array(
+					'expires'  => $expire,
+					'path'     => config_item('cookie_path'),
+					'domain'   => config_item('cookie_domain'),
+					'secure'   => $secure_cookie,
+					'httponly' => config_item('cookie_httponly'),
+					'samesite' => 'Strict'
+				)
+			);
+		}
+		else
+		{
+			$domain = trim(config_item('cookie_domain'));
+			header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash
+					.'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)
+					.'; Max-Age='.$this->_csrf_expire
+					.'; Path='.rawurlencode(config_item('cookie_path'))
+					.($domain === '' ? '' : '; Domain='.$domain)
+					.($secure_cookie ? '; Secure' : '')
+					.(config_item('cookie_httponly') ? '; HttpOnly' : '')
+					.'; SameSite=Strict'
+			);
+		}
+
 		log_message('info', 'CSRF cookie sent');
 
 		return $this;
-- 
cgit v1.2.3-24-g4f1b


From 39da78b2588a60a2f43fb8f77448ab9604550978 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 5 Jan 2022 16:25:49 +0200
Subject: Fix some minor PHP 8.1 deprecation warnings

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index f6b0407f8..d1d4f8432 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -193,7 +193,7 @@ class CI_Security {
 			$this->_csrf_set_hash();
 		}
 
-		$this->charset = strtoupper(config_item('charset'));
+		$this->charset = strtoupper((string) config_item('charset'));
 
 		log_message('info', 'Security Class Initialized');
 	}
-- 
cgit v1.2.3-24-g4f1b