YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] CVE CSRF with cookie setting

Browse source
This commit is contained in:
frju365 2018-08-25 02:29:26 +02:00 committed by GitHub
parent 6e1e1e10ff
commit 07c3db2c46
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
helpers.lua
View file

@ -146,7 +146,9 @@ function set_auth_cookie(user, domain)
local cookie_str = "; Domain=."..domain.. local cookie_str = "; Domain=."..domain..
"; Path=/".. "; Path=/"..
"; Expires="..os.date("%a, %d %b %Y %X UTC;", expire).. "; Expires="..os.date("%a, %d %b %Y %X UTC;", expire)..
"; Secure" "; Secure"..
"; HttpOnly"..
"; SameSite=Strict"
ngx.header["Set-Cookie"] = { ngx.header["Set-Cookie"] = {
"SSOwAuthUser="..user..cookie_str, "SSOwAuthUser="..user..cookie_str,
@ -165,7 +167,9 @@ function delete_cookie()
local cookie_str = "; Domain=."..domain.. local cookie_str = "; Domain=."..domain..
"; Path=/".. "; Path=/"..
"; Expires="..expired_time.. "; Expires="..expired_time..
"; Secure" "; Secure"..
"; HttpOnly"..
"; SameSite=Strict"
ngx.header["Set-Cookie"] = { ngx.header["Set-Cookie"] = {
"SSOwAuthUser="..cookie_str, "SSOwAuthUser="..cookie_str,
"SSOwAuthHash="..cookie_str, "SSOwAuthHash="..cookie_str,
@ -180,7 +184,9 @@ function delete_redirect_cookie()
local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;" local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;"
local cookie_str = "; Path="..conf["portal_path"].. local cookie_str = "; Path="..conf["portal_path"]..
"; Expires="..expired_time.. "; Expires="..expired_time..
"; Secure" "; Secure"..
"; HttpOnly"..
"; SameSite=Strict"
ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str
end end