Teach MantisBT to bake tough cookies

The Secure cookie flag is now set for all cookies when the user is browsing via a TLS protected connection. Originally this flag was only set for the PHP session ID cookie. MantisBT now supports the HttpOnly cookie flag and will use it when possible (PHP 5.2.0 is required). This flag tells the client browser to deny Javascript access to the cookie (both reading and writing). As such, this flag is very useful in providing another layer of protection against XSS attacks. The gpc_set_cookie function has an additional parameter to disable the HttpOnly flag on a per-cookie basis. This parameter should be set to false when sending a cookie to the client that client-side Javascript needs to read or write. Fixes #10709,#10712
mantisbt · Jul 11, 2009 · 2a6892b · 2a6892b
1 parent 2ad151c
commit 2a6892b
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 7 deletions.
diff --git a/core/gpc_api.php b/core/gpc_api.php
@@ -22,6 +22,22 @@
  * @link http://www.mantisbt.org
  */
 
+/**
+ * Determines (once-off) whether the client is accessing this script via a
+ * secure connection. If they are, we want to use the Secure cookie flag to
+ * prevent the cookie from being transmitted to other domains.
+ * @global bool $g_cookie_secure_flag_enabled
+ */
+$g_cookie_secure_flag_enabled = isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' );
+
+/**
+ * Determines (once-off) whether the version of PHP executing this script has
+ * support for the HttpOnly cookie flag. If so, we will set this flag to true
+ * so that it'll be added to all cookies sent to the client.
+ * @global bool $g_cookie_httponly_flag_enabled
+ */
+$g_cookie_httponly_flag_enabled = version_compare( PHP_VERSION, '5.2.0', '>=' );
+
 /**
  * GET, POST, and Cookie API
  * ---------------
@@ -313,16 +329,22 @@ function gpc_get_cookie( $p_var_name, $p_default = null ) {
  * If $p_expire is false instead of a number, the cookie will expire when
  * the browser is closed; if it is true, the default time from the config
  * file will be used.
- * If $p_path or $p_domain are omitted, defaults are used
+ * If $p_path or $p_domain are omitted, defaults are used.
+ * Set $p_httponly to false if client-side Javascript needs to read/write
+ * the cookie. Otherwise it is safe to leave this value unspecified, as
+ * the default value is true.
  * @todo this function is to be modified by Victor to add CRC... for now it just passes the parameters through to setcookie()
  * @param string $p_name
  * @param string $p_value
  * @param bool $p_expire default false
  * @param string $p_path default null
  * @param string $p_domain default null
- * @return null
+ * @param bool $p_httponly default true
+ * @return bool - true on success, false on failure
  */
-function gpc_set_cookie( $p_name, $p_value, $p_expire = false, $p_path = null, $p_domain = null ) {
+function gpc_set_cookie( $p_name, $p_value, $p_expire = false, $p_path = null, $p_domain = null, $p_httponly = true ) {
+	global $g_cookie_secure_flag_enabled;
+	global $g_cookie_httponly_flag_enabled;
 	if( false === $p_expire ) {
 		$p_expire = 0;
 	}
@@ -337,7 +359,12 @@ function gpc_set_cookie( $p_name, $p_value, $p_expire = false, $p_path = null, $
 		$p_domain = config_get( 'cookie_domain' );
 	}
 
-	return setcookie( $p_name, $p_value, $p_expire, $p_path, $p_domain );
+	if( $g_cookie_httponly_flag_enabled ) {
+		# The HttpOnly cookie flag is only supported in PHP >= 5.2.0
+		return setcookie( $p_name, $p_value, $p_expire, $p_path, $p_domain, $g_cookie_secure_flag_enabled, $g_cookie_httponly_flag_enabled );
+	}
+
+	return setcookie( $p_name, $p_value, $p_expire, $p_path, $p_domain, $g_cookie_secure_flag_enabled );
 }
 
 /**

diff --git a/core/session_api.php b/core/session_api.php
@@ -92,6 +92,9 @@ class MantisPHPSession extends MantisSession {
 	 * Constructor
 	 */
 	function __construct( $p_session_id=null ) {
+		global $g_cookie_secure_flag_enabled;
+		global $g_cookie_httponly_flag_enabled;
+
 		$this->key = config_get_global( 'session_key' );
 
 		# Save session information where specified or with PHP's default
@@ -102,10 +105,11 @@ function __construct( $p_session_id=null ) {
 
 		# Handle session cookie and caching
 		session_cache_limiter( 'private_no_expire' );
-		if ( isset( $_SERVER['HTTPS'] ) && ( utf8_strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
-			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true );
+		if ( $g_cookie_httponly_flag_enabled ) {
+			# The HttpOnly cookie flag is only supported in PHP >= 5.2.0
+			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), $g_cookie_secure_flag_enabled, $g_cookie_httponly_flag_enabled );
 		} else {
-			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false );
+			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), $g_cookie_secure_flag_enabled );
 		}
 
 		# Handle existent session ID