From e4a459a6edc40b64cba7845b52f3e90666b2818a Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 16 Feb 2016 23:53:39 +0100
Subject: CSP no inline javascript draft

https://github.com/FreshRSS/FreshRSS/issues/1075
---
 lib/Minz/Session.php | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'lib/Minz/Session.php')

diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 057e7746a..940cd27d9 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -59,18 +59,21 @@ class Minz_Session {
 		}
 	}
 
+	public static function getCookieDir() {
+		// Get the script_name (e.g. /p/i/index.php) and keep only the path.
+		$cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI'];
+		if (substr($cookie_dir, -1) !== '/') {
+			$cookie_dir = dirname($cookie_dir) . '/';
+		}
+		return $cookie_dir;
+	}
 
 	/**
 	 * Spécifie la durée de vie des cookies
 	 * @param $l la durée de vie
 	 */
 	public static function keepCookie($l) {
-		// Get the script_name (e.g. /p/i/index.php) and keep only the path.
-		$cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI'];
-		if (substr($cookie_dir, -1) !== '/') {
-			$cookie_dir = dirname($cookie_dir) . '/';
-		}
-		session_set_cookie_params($l, $cookie_dir, '', false, true);
+		session_set_cookie_params($l, self::getCookieDir(), '', false, true);
 	}
 
 
-- 
cgit v1.2.3


From ba9f4461d8935bb9de256a5bedf0c89d3d317c7f Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 8 Mar 2016 19:00:04 +0100
Subject: Secure cookie HTTPS

---
 CHANGELOG.md         |  1 +
 lib/Minz/Request.php | 17 ++++++++++++-----
 lib/Minz/Session.php |  6 +++---
 3 files changed, 16 insertions(+), 8 deletions(-)

(limited to 'lib/Minz/Session.php')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 74cb9d250..7298c4523 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * Security
 	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/issues/1075), [#1114](https://github.com/FreshRSS/FreshRSS/issues/1114)
 	* Added `X-Content-Type-Options: nosniff` [#1116](https://github.com/FreshRSS/FreshRSS/pull/1116)
+	* Cookie with `Secure` tag when used over HTTPS []()
 * Features
 	* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
 		* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index effb9943c..81457df9e 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -84,6 +84,17 @@ class Minz_Request {
 		self::magicQuotesOff();
 	}
 
+	/**
+	 * Return true if the request is over HTTPS, false otherwise (HTTP)
+	 */
+	public static function isHttps() {
+		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+			return strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
+		} else {
+			return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
+		}
+	}
+
 	/**
 	 * Try to guess the base URL from $_SERVER information
 	 *
@@ -92,11 +103,7 @@ class Minz_Request {
 	public static function guessBaseUrl() {
 		$url = 'http';
 
-		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
-			$https = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
-		} else {
-			$https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
-		}
+		$https = self::isHttps();
 
 		if (!empty($_SERVER['HTTP_HOST'])) {
 			$host = $_SERVER['HTTP_HOST'];
diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 940cd27d9..c94f2b646 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -73,7 +73,7 @@ class Minz_Session {
 	 * @param $l la durée de vie
 	 */
 	public static function keepCookie($l) {
-		session_set_cookie_params($l, self::getCookieDir(), '', false, true);
+		session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true);
 	}
 
 
@@ -86,11 +86,11 @@ class Minz_Session {
 	}
 
 	public static function deleteLongTermCookie($name) {
-		setcookie($name, '', 1, '', '', false, true);
+		setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true);
 	}
 
 	public static function setLongTermCookie($name, $value, $expire) {
-		setcookie($name, $value, $expire, '', '', false, true);
+		setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true);
 	}
 
 	public static function getLongTermCookie($name) {
-- 
cgit v1.2.3