diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-11-23 12:53:44 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-11-23 12:53:44 +0100 |
| commit | a05b8b79534fcd46341ae7bfd28cb34e9ff88ced (patch) | |
| tree | edd0a9c995ae5948fa202f367fdd63912ca1612f /lib | |
| parent | f692ea34f1f1ce128ad40e3bf248c6342260c6c1 (diff) | |
| download | nextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.tar.gz nextcloud-server-a05b8b79534fcd46341ae7bfd28cb34e9ff88ced.zip | |
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.
See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.
Fixes https://github.com/nextcloud/server/issues/1412
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 10 | ||||
| -rw-r--r-- | lib/private/AppFramework/Http/Request.php | 33 |
2 files changed, 40 insertions, 3 deletions
diff --git a/lib/base.php b/lib/base.php index d6c6e17eff9..2f5517f4614 100644 --- a/lib/base.php +++ b/lib/base.php @@ -493,10 +493,18 @@ class OC { 'lax', 'strict', ]; + + // Append __Host to the cookie if it meets the requirements + $cookiePrefix = ''; + if($cookieParams['secure'] === true && $cookieParams['path'] === '/') { + $cookiePrefix = '__Host-'; + } + foreach($policies as $policy) { header( sprintf( - 'Set-Cookie: nc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s', + 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s', + $cookiePrefix, $policy, $cookieParams['path'], $policy diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php index c7a3be163fe..62d7fc7ed30 100644 --- a/lib/private/AppFramework/Http/Request.php +++ b/lib/private/AppFramework/Http/Request.php @@ -498,6 +498,31 @@ class Request implements \ArrayAccess, \Countable, IRequest { } /** + * Wrapper around session_get_cookie_params + * + * @return array + */ + protected function getCookieParams() { + return session_get_cookie_params(); + } + + /** + * Appends the __Host- prefix to the cookie if applicable + * + * @param string $name + * @return string + */ + protected function getProtectedCookieName($name) { + $cookieParams = $this->getCookieParams(); + $prefix = ''; + if($cookieParams['secure'] === true && $cookieParams['path'] === '/') { + $prefix = '__Host-'; + } + + return $prefix.$name; + } + + /** * Checks if the strict cookie has been sent with the request if the request * is including any cookies. * @@ -508,7 +533,9 @@ class Request implements \ArrayAccess, \Countable, IRequest { if(!$this->cookieCheckRequired()) { return true; } - if($this->getCookie('nc_sameSiteCookiestrict') === 'true' + + $cookieName = $this->getProtectedCookieName('nc_sameSiteCookiestrict'); + if($this->getCookie($cookieName) === 'true' && $this->passesLaxCookieCheck()) { return true; } @@ -526,7 +553,9 @@ class Request implements \ArrayAccess, \Countable, IRequest { if(!$this->cookieCheckRequired()) { return true; } - if($this->getCookie('nc_sameSiteCookielax') === 'true') { + + $cookieName = $this->getProtectedCookieName('nc_sameSiteCookielax'); + if($this->getCookie($cookieName) === 'true') { return true; } return false; |