sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00
Code Activity

Improve security of PHP session variable by setting HttpOnly flag. Fixes #129.

Browse source
This commit is contained in:
Starbeamrainbowlabs 2016-12-23 21:31:33 +00:00
parent 855079b438
commit d17925a662
3 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -32,6 +32,7 @@
- Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries. - Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries.
- Fixed tag links at the bottom of pages for tags with a single quote (`'`) in them. - Fixed tag links at the bottom of pages for tags with a single quote (`'`) in them.
- Correct error message when attempting to move a page - Correct error message when attempting to move a page
- Improved security of PHP session cookie by setting HttpOnly flag.
## v0.12.1 ## v0.12.1

6
build/index.php
View file

@ -52,7 +52,7 @@ $guiConfig = <<<'GUICONFIG'
}}, }},
"admins": {"type": "array", "description": "An array of usernames that are administrators. Administrators can delete and move pages.", "default": [ "admin" ]}, "admins": {"type": "array", "description": "An array of usernames that are administrators. Administrators can delete and move pages.", "default": [ "admin" ]},
"anonymous_user_name": { "type": "text", "description": "The default name for anonymous users.", "default": "Anonymous" }, "anonymous_user_name": { "type": "text", "description": "The default name for anonymous users.", "default": "Anonymous" },
"user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699;" }, "user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699; " },
"use_sha3": {"type": "checkbox", "description": "Whether to use the new sha3 hashing algorithm for passwords etc.", "default": false }, "use_sha3": {"type": "checkbox", "description": "Whether to use the new sha3 hashing algorithm for passwords etc.", "default": false },
"require_login_view": {"type": "checkbox", "description": "Whether to require that users login before they do anything else. Best used with the data_storage_dir option.", "default": false}, "require_login_view": {"type": "checkbox", "description": "Whether to require that users login before they do anything else. Best used with the data_storage_dir option.", "default": false},
"data_storage_dir": {"type": "text", "description": "The directory in which to store all files, except the main index.php.", "default": "."}, "data_storage_dir": {"type": "text", "description": "The directory in which to store all files, except the main index.php.", "default": "."},
@ -357,7 +357,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
session_start(); session_start();
// Make sure that the login cookie lasts beyond the end of the user's session // Make sure that the login cookie lasts beyond the end of the user's session
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime); setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
///////// Login System ///////// ///////// Login System /////////
// Clear expired sessions // Clear expired sessions
if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and
@ -1377,7 +1377,7 @@ class page_renderer
{ {
$result .= "<span class='inflexible logged-in" . ($env->is_logged_in ? " moderator" : " normal-user") . "'>"; $result .= "<span class='inflexible logged-in" . ($env->is_logged_in ? " moderator" : " normal-user") . "'>";
if(module_exists("feature-user-preferences")) { if(module_exists("feature-user-preferences")) {
$result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a> "; $result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a>";
} }
$result .= self::render_username($env->user) . " <small>(<a href='index.php?action=logout'>Logout</a>)</small>"; $result .= self::render_username($env->user) . " <small>(<a href='index.php?action=logout'>Logout</a>)</small>";
$result .= "</span>"; $result .= "</span>";

2
core.php
View file

@ -39,7 +39,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
session_start(); session_start();
// Make sure that the login cookie lasts beyond the end of the user's session // Make sure that the login cookie lasts beyond the end of the user's session
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime); setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
///////// Login System ///////// ///////// Login System /////////
// Clear expired sessions // Clear expired sessions
if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and