From 0286ab3513ade8681a7172c78440a81059435e22 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Mar 2021 13:26:50 +0200 Subject: [ci skip] Add SameSite=Strict to CSRF cookie --- system/core/Security.php | 38 +++++++++++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 9 deletions(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index e1dc2a92f..f6b0407f8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -272,15 +272,35 @@ class CI_Security { return FALSE; } - setcookie( - $this->_csrf_cookie_name, - $this->_csrf_hash, - $expire, - config_item('cookie_path'), - config_item('cookie_domain'), - $secure_cookie, - config_item('cookie_httponly') - ); + if (is_php('7.3')) + { + setcookie( + $this->_csrf_cookie_name, + $this->_csrf_hash, + array( + 'expires' => $expire, + 'path' => config_item('cookie_path'), + 'domain' => config_item('cookie_domain'), + 'secure' => $secure_cookie, + 'httponly' => config_item('cookie_httponly'), + 'samesite' => 'Strict' + ) + ); + } + else + { + $domain = trim(config_item('cookie_domain')); + header('Set-Cookie: '.$this->_csrf_cookie_name.'='.$this->_csrf_hash + .'; Expires='.gmdate('D, d-M-Y H:i:s T', $expire) + .'; Max-Age='.$this->_csrf_expire + .'; Path='.rawurlencode(config_item('cookie_path')) + .($domain === '' ? '' : '; Domain='.$domain) + .($secure_cookie ? '; Secure' : '') + .(config_item('cookie_httponly') ? '; HttpOnly' : '') + .'; SameSite=Strict' + ); + } + log_message('info', 'CSRF cookie sent'); return $this; -- cgit v1.2.3-24-g4f1b From 74384ca7f88913b87e982696bb5cb3eb5593c451 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 20 Dec 2021 15:47:39 +0200 Subject: Merge pull request #6074 from philsturgeon/ci3-php8 CodeIgniter 3.0 on PHP 8 --- system/core/Output.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'system/core') diff --git a/system/core/Output.php b/system/core/Output.php index cef092600..93d85e798 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -299,10 +299,14 @@ class CI_Output { */ public function get_header($header) { - // Combine headers already sent with our batched headers + // We only need [x][0] from our multi-dimensional array + $header_lines = array_map(function ($headers) + { + return array_shift($headers); + }, $this->headers); + $headers = array_merge( - // We only need [x][0] from our multi-dimensional array - array_map('array_shift', $this->headers), + $header_lines, headers_list() ); -- cgit v1.2.3-24-g4f1b From 318c485b7b83356543c9aa7ab65464893d7eb8fe Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 13:57:33 +0200 Subject: Close #6021: Suppress possible E_DEPRECATION notices about mbstring.func_overload --- system/core/Log.php | 2 +- system/core/Output.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core') diff --git a/system/core/Log.php b/system/core/Log.php index f66f1aa48..683c16bac 100644 --- a/system/core/Log.php +++ b/system/core/Log.php @@ -122,7 +122,7 @@ class CI_Log { { $config =& get_config(); - isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); + isset(self::$func_overload) OR self::$func_overload = ( ! is_php('8.0') && extension_loaded('mbstring') && @ini_get('mbstring.func_overload')); $this->_log_path = ($config['log_path'] !== '') ? $config['log_path'] : APPPATH.'logs/'; $this->_file_ext = (isset($config['log_file_extension']) && $config['log_file_extension'] !== '') diff --git a/system/core/Output.php b/system/core/Output.php index 93d85e798..8e3245b79 100644 --- a/system/core/Output.php +++ b/system/core/Output.php @@ -145,7 +145,7 @@ class CI_Output { && extension_loaded('zlib') ); - isset(self::$func_overload) OR self::$func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload')); + isset(self::$func_overload) OR self::$func_overload = ( ! is_php('8.0') && extension_loaded('mbstring') && @ini_get('mbstring.func_overload')); // Get mime types for later $this->mimes =& get_mimes(); -- cgit v1.2.3-24-g4f1b From 39da78b2588a60a2f43fb8f77448ab9604550978 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 16:25:49 +0200 Subject: Fix some minor PHP 8.1 deprecation warnings --- system/core/Common.php | 5 ++--- system/core/Input.php | 2 +- system/core/Security.php | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) (limited to 'system/core') diff --git a/system/core/Common.php b/system/core/Common.php index 9e23a4ea5..a9b8828e3 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -778,11 +778,9 @@ if ( ! function_exists('_stringify_attributes')) */ function _stringify_attributes($attributes, $js = FALSE) { - $atts = NULL; - if (empty($attributes)) { - return $atts; + return NULL; } if (is_string($attributes)) @@ -792,6 +790,7 @@ if ( ! function_exists('_stringify_attributes')) $attributes = (array) $attributes; + $atts = ''; foreach ($attributes as $key => $val) { $atts .= ($js) ? $key.'='.$val.',' : ' '.$key.'="'.$val.'"'; diff --git a/system/core/Input.php b/system/core/Input.php index 3fb4121eb..c3a0a9094 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -565,7 +565,7 @@ class CI_Input { $which = FILTER_FLAG_IPV6; break; default: - $which = NULL; + $which = 0; break; } diff --git a/system/core/Security.php b/system/core/Security.php index f6b0407f8..d1d4f8432 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -193,7 +193,7 @@ class CI_Security { $this->_csrf_set_hash(); } - $this->charset = strtoupper(config_item('charset')); + $this->charset = strtoupper((string) config_item('charset')); log_message('info', 'Security Class Initialized'); } -- cgit v1.2.3-24-g4f1b From 4362b7d9f39189472950589ce47a483b6025f5e9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 17:52:40 +0200 Subject: Merge pull request #6025 from gxgpet/develop SameSite attribute implementation for CI_Input::set_cookie --- system/core/Input.php | 42 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index c3a0a9094..7205a7aa2 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -357,14 +357,15 @@ class CI_Input { * @param string $prefix Cookie name prefix * @param bool $secure Whether to only transfer cookies via SSL * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript) + * @param string $samesite SameSite attribute * @return void */ - public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL) + public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL, $samesite = NULL) { if (is_array($name)) { // always leave 'name' in last place, as the loop will break otherwise, due to $$item - foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item) + foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name', 'samesite') as $item) { if (isset($name[$item])) { @@ -405,7 +406,42 @@ class CI_Input { $expire = ($expire > 0) ? time() + $expire : 0; } - setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly); + isset($samesite) OR $samesite = config_item('cookie_samesite'); + if (isset($samesite)) + { + $samesite = ucfirst(strtolower($samesite)); + in_array($samesite, array('Lax', 'Strict', 'None'), TRUE) OR $samesite = 'Lax'; + } + else + { + $samesite = 'Lax'; + } + + if ($samesite === 'None' && ! $secure) + { + log_message('error', $name.' cookie sent with SameSite=None, but without Secure attribute.'); + } + + if (is_php('7.3')) + { + $setcookie_options = array( + 'expires' => $expire, + 'path' => $path, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httponly, + 'samesite' => $samesite, + ); + setcookie($prefix.$name, $value, $setcookie_options); + } + else + { + $cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value); + $cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire)); + $cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : ''); + $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite; + header($cookie_header); + } } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From f370f2c042905e521fa3a25283f7e275606a8724 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 5 Jan 2022 18:23:06 +0200 Subject: Polish changes from PR #6025 --- system/core/Input.php | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) (limited to 'system/core') diff --git a/system/core/Input.php b/system/core/Input.php index 7205a7aa2..47bdbfc5d 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -422,26 +422,31 @@ class CI_Input { log_message('error', $name.' cookie sent with SameSite=None, but without Secure attribute.'); } - if (is_php('7.3')) - { - $setcookie_options = array( - 'expires' => $expire, - 'path' => $path, - 'domain' => $domain, - 'secure' => $secure, - 'httponly' => $httponly, - 'samesite' => $samesite, - ); - setcookie($prefix.$name, $value, $setcookie_options); - } - else + if ( ! is_php('7.3')) { + $maxage = $expire - time(); + if ($maxage < 1) + { + $maxage = 0; + } + $cookie_header = 'Set-Cookie: '.$prefix.$name.'='.rawurlencode($value); - $cookie_header .= ($expire === 0 ? '' : '; expires='.gmdate('D, d-M-Y H:i:s T', $expire)); - $cookie_header .= '; path='.$path.($domain !== '' ? '; domain='.$domain : ''); - $cookie_header .= ($secure ? '; secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite; + $cookie_header .= ($expire === 0 ? '' : '; Expires='.gmdate('D, d-M-Y H:i:s T', $expire)).'; Max-Age='.$maxage; + $cookie_header .= '; Path='.$path.($domain !== '' ? '; Domain='.$domain : ''); + $cookie_header .= ($secure ? '; Secure' : '').($httponly ? '; HttpOnly' : '').'; SameSite='.$samesite; header($cookie_header); - } + return; + } + + $setcookie_options = array( + 'expires' => $expire, + 'path' => $path, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httponly, + 'samesite' => $samesite, + ); + setcookie($prefix.$name, $value, $setcookie_options); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b