From 357bb08387192ab5116752203a0055cff452d204 Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Thu, 23 Nov 2023 08:26:32 +0700 Subject: [PATCH] Use external cookie library to prevent incorrect cookie setting (#1160) * Use external cookie library to prevent incorrect cookie setting * Update CHANGELOG.md --- CHANGELOG.md | 1 + composer.json | 3 +- composer.lock | 109 +++++++++++++++++++++++++++++++---- library/includes/init_bb.php | 11 +--- 4 files changed, 102 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 587590885..ac55ceedf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **Merged pull requests:** +- Use external cookie library to prevent incorrect cookie setting [\#1160](https://github.com/torrentpier/torrentpier/pull/1160) ([belomaxorka](https://github.com/belomaxorka)) - Some improvements in default template [\#1159](https://github.com/torrentpier/torrentpier/pull/1159) ([belomaxorka](https://github.com/belomaxorka)) - Use sent port instead of source [\#1158](https://github.com/torrentpier/torrentpier/pull/1158) ([kovalensky](https://github.com/kovalensky)) - Remove unnecessary meta tags from file listing [\#1157](https://github.com/torrentpier/torrentpier/pull/1157) ([kovalensky](https://github.com/kovalensky)) diff --git a/composer.json b/composer.json index efab6a6d6..5e60c868f 100644 --- a/composer.json +++ b/composer.json @@ -50,7 +50,8 @@ "samdark/sitemap": "2.4.1", "symfony/mailer": "^6.3", "symfony/polyfill": "v1.28.0", - "vlucas/phpdotenv": "^5.5" + "vlucas/phpdotenv": "^5.5", + "delight-im/cookie": "3.*" }, "require-dev": { "symfony/var-dumper": "^6.3" diff --git a/composer.lock b/composer.lock index 45ff18978..ae5b06051 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "ab483942399a1a20194b6851fda0ae6f", + "content-hash": "a2ee0a4e95404dca800219b4377f8e2c", "packages": [ { "name": "arokettu/bencode", @@ -275,6 +275,91 @@ ], "time": "2023-08-30T09:31:38+00:00" }, + { + "name": "delight-im/cookie", + "version": "v3.4.0", + "source": { + "type": "git", + "url": "https://github.com/delight-im/PHP-Cookie.git", + "reference": "67065d34272377d63bab0bd58f984f9b228c803f" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/delight-im/PHP-Cookie/zipball/67065d34272377d63bab0bd58f984f9b228c803f", + "reference": "67065d34272377d63bab0bd58f984f9b228c803f", + "shasum": "" + }, + "require": { + "delight-im/http": "^2.0", + "php": ">=5.4.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "Delight\\Cookie\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "Modern cookie management for PHP", + "homepage": "https://github.com/delight-im/PHP-Cookie", + "keywords": [ + "cookie", + "cookies", + "csrf", + "http", + "same-site", + "samesite", + "xss" + ], + "support": { + "issues": "https://github.com/delight-im/PHP-Cookie/issues", + "source": "https://github.com/delight-im/PHP-Cookie/tree/v3.4.0" + }, + "time": "2020-04-16T11:01:26+00:00" + }, + { + "name": "delight-im/http", + "version": "v2.1.0", + "source": { + "type": "git", + "url": "https://github.com/delight-im/PHP-HTTP.git", + "reference": "a5c2c4eae1dd3207f797984e8f64f2d71ed889dd" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/delight-im/PHP-HTTP/zipball/a5c2c4eae1dd3207f797984e8f64f2d71ed889dd", + "reference": "a5c2c4eae1dd3207f797984e8f64f2d71ed889dd", + "shasum": "" + }, + "require": { + "php": ">=5.3.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "Delight\\Http\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "Hypertext Transfer Protocol (HTTP) utilities for PHP", + "homepage": "https://github.com/delight-im/PHP-HTTP", + "keywords": [ + "headers", + "http", + "https" + ], + "support": { + "issues": "https://github.com/delight-im/PHP-HTTP/issues", + "source": "https://github.com/delight-im/PHP-HTTP/tree/v2.1.0" + }, + "time": "2021-10-12T18:52:29+00:00" + }, { "name": "doctrine/lexer", "version": "3.0.0", @@ -1638,7 +1723,7 @@ }, { "name": "symfony/deprecation-contracts", - "version": "v3.3.0", + "version": "v3.4.0", "source": { "type": "git", "url": "https://github.com/symfony/deprecation-contracts.git", @@ -1685,7 +1770,7 @@ "description": "A generic function and convention to trigger deprecation notices", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/deprecation-contracts/tree/v3.3.0" + "source": "https://github.com/symfony/deprecation-contracts/tree/v3.4.0" }, "funding": [ { @@ -1785,7 +1870,7 @@ }, { "name": "symfony/event-dispatcher-contracts", - "version": "v3.3.0", + "version": "v3.4.0", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher-contracts.git", @@ -1841,7 +1926,7 @@ "standards" ], "support": { - "source": "https://github.com/symfony/event-dispatcher-contracts/tree/v3.3.0" + "source": "https://github.com/symfony/event-dispatcher-contracts/tree/v3.4.0" }, "funding": [ { @@ -2139,16 +2224,16 @@ }, { "name": "symfony/service-contracts", - "version": "v3.3.0", + "version": "v3.4.0", "source": { "type": "git", "url": "https://github.com/symfony/service-contracts.git", - "reference": "40da9cc13ec349d9e4966ce18b5fbcd724ab10a4" + "reference": "b3313c2dbffaf71c8de2934e2ea56ed2291a3838" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/service-contracts/zipball/40da9cc13ec349d9e4966ce18b5fbcd724ab10a4", - "reference": "40da9cc13ec349d9e4966ce18b5fbcd724ab10a4", + "url": "https://api.github.com/repos/symfony/service-contracts/zipball/b3313c2dbffaf71c8de2934e2ea56ed2291a3838", + "reference": "b3313c2dbffaf71c8de2934e2ea56ed2291a3838", "shasum": "" }, "require": { @@ -2201,7 +2286,7 @@ "standards" ], "support": { - "source": "https://github.com/symfony/service-contracts/tree/v3.3.0" + "source": "https://github.com/symfony/service-contracts/tree/v3.4.0" }, "funding": [ { @@ -2217,7 +2302,7 @@ "type": "tidelift" } ], - "time": "2023-05-23T14:45:45+00:00" + "time": "2023-07-30T20:28:31+00:00" }, { "name": "vlucas/phpdotenv", @@ -2399,5 +2484,5 @@ "php": "^8.1" }, "platform-dev": [], - "plugin-api-version": "2.6.0" + "plugin-api-version": "2.3.0" } diff --git a/library/includes/init_bb.php b/library/includes/init_bb.php index eef500b2b..c047f6a18 100644 --- a/library/includes/init_bb.php +++ b/library/includes/init_bb.php @@ -82,18 +82,11 @@ define('COOKIE_MAX_TRACKS', 90); * @param bool $httponly * @return bool */ -function bb_setcookie($name, $val, int $lifetime = COOKIE_PERSIST, bool $httponly = false) +function bb_setcookie($name, $val, int $lifetime = COOKIE_PERSIST, bool $httponly = false): bool { global $bb_cfg; - return setcookie($name, $val, [ - 'expires' => $lifetime, - 'path' => $bb_cfg['script_path'], - 'domain' => $bb_cfg['cookie_domain'], - 'secure' => $bb_cfg['cookie_secure'], - 'httponly' => $httponly, - 'samesite' => $bb_cfg['cookie_same_site'], - ]); + return \Delight\Cookie\Cookie::setcookie($name, $val, $lifetime, $bb_cfg['script_path'], $bb_cfg['cookie_domain'], $bb_cfg['server_secure'], $httponly, $bb_cfg['cookie_same_site']); } // User Levels