From 0f3d7dc6bcb9457e91c93e89def0310e63e81f3d Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Mon, 4 Apr 2022 16:00:06 -0400 Subject: [PATCH] fix(core): add security flags to cookies (HttpOnly, secure) Fixes #4525 --- SoObjects/SOGo/SOGoWebAuthenticator.m | 11 +++++++++-- UI/WebServerResources/SOGoRootPage.js | 9 +-------- UI/WebServerResources/generic.js | 11 ----------- 3 files changed, 10 insertions(+), 21 deletions(-) diff --git a/SoObjects/SOGo/SOGoWebAuthenticator.m b/SoObjects/SOGo/SOGoWebAuthenticator.m index bd386d035..9cd0e4f4c 100644 --- a/SoObjects/SOGo/SOGoWebAuthenticator.m +++ b/SoObjects/SOGo/SOGoWebAuthenticator.m @@ -1,6 +1,6 @@ /* SOGoWebAuthenticator.m - this file is part of SOGo * - * Copyright (C) 2007-2014 Inverse inc. + * Copyright (C) 2007-2022 Inverse inc. * * This file is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -390,6 +390,7 @@ { WOCookie *authCookie; NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword; + BOOL isSecure; // // We create a new cookie - thus we create a new session @@ -416,8 +417,14 @@ userKey, sessionKey]; cookieValue = [NSString stringWithFormat: @"basic %@", [cookieString stringByEncodingBase64]]; + isSecure = [[[context serverURL] scheme] isEqualToString: @"https"]; authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context] - value: cookieValue]; + value: cookieValue + path: nil + domain: nil + expires: nil + isSecure: isSecure + httpOnly: YES]; appName = [[context request] applicationName]; [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]]; diff --git a/UI/WebServerResources/SOGoRootPage.js b/UI/WebServerResources/SOGoRootPage.js index 333ca809a..7425bca67 100644 --- a/UI/WebServerResources/SOGoRootPage.js +++ b/UI/WebServerResources/SOGoRootPage.js @@ -7,11 +7,6 @@ function initLogin() { date.setTime(date.getTime() - 86400000); var href = $("connectForm").action.split("/"); - var appName = href[href.length-2]; - - document.cookie = ("0xHIGHFLYxSOGo=discarded" - + "; expires=" + date.toGMTString() - + "; path=/" + appName + "/"); var about = $("about"); if (about) { @@ -118,9 +113,7 @@ function onLoginCallback(http) { if (http.status == 200) { // Make sure browser's cookies are enabled - var loginCookie = readLoginCookie(); - - if (!loginCookie) { + if (navigator && !navigator.cookieEnabled) { SetLogMessage("errorMessage", _("cookiesNotEnabled")); submitBtn.disabled = false; return; diff --git a/UI/WebServerResources/generic.js b/UI/WebServerResources/generic.js index fa1f4b3a3..a4b4ca40b 100644 --- a/UI/WebServerResources/generic.js +++ b/UI/WebServerResources/generic.js @@ -2329,17 +2329,6 @@ function readCookie(name) { return foundCookie; } -function readLoginCookie() { - var loginValues = null; - var cookie = readCookie("0xHIGHFLYxSOGo"); - if (cookie && cookie.length > 8) { - var value = decodeURIComponent(cookie.substr(8)); - loginValues = value.base64decode().split(":"); - } - - return loginValues; -} - /* logging widgets */ function SetLogMessage(containerId, message, msgType) { var container = $(containerId);