51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
77 lines
2.9 KiB
Plaintext
77 lines
2.9 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In _php.ini_ you can specify the flags for the session cookie which is security-sensitive:
|
|
|
|
----
|
|
session.cookie_httponly = 0; // Sensitive: this sensitive session cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
|
|
----
|
|
|
|
Same thing in PHP code:
|
|
|
|
----
|
|
session_set_cookie_params($lifetime, $path, $domain, true, false); // Sensitive: this sensitive session cookie is created with the httponly flag (the fifth argument) set to false and so it can be stolen easily in case of XSS vulnerability
|
|
----
|
|
|
|
If you create a custom security-sensitive cookie in your PHP code:
|
|
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain, true, false); // Sensitive: this sensitive cookie is created with the httponly flag (the seventh argument) set to false and so it can be stolen easily in case of XSS vulnerability
|
|
----
|
|
|
|
By default https://www.php.net/manual/en/function.setcookie.php[``++setcookie++``] and https://www.php.net/manual/en/function.setrawcookie.php[``++setrawcookie++``] functions set ``++httpOnly++`` flag to _false_ (the seventh argument) and so cookies can be stolen easily in case of XSS vulnerability:
|
|
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain, true); // Sensitive: a sensitive cookie is created with the httponly flag (the seventh argument) not defined (by default set to false)
|
|
setrawcookie($name, $value, $expire, $path, $domain, true); // Sensitive: a sensitive cookie is created with the httponly flag (the seventh argument) not defined (by default set to false)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,php]
|
|
----
|
|
session.cookie_httponly = 1; // Compliant: the sensitive cookie is protected against theft thanks (cookie_httponly=1)
|
|
----
|
|
|
|
[source,php]
|
|
----
|
|
session_set_cookie_params($lifetime, $path, $domain, true, true); // Compliant: the sensitive cookie is protected against theft thanks to the fifth argument set to true (HttpOnly=true)
|
|
----
|
|
|
|
[source,php]
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain, true, true); // Compliant: the sensitive cookie is protected against theft thanks to the seventh argument set to true (HttpOnly=true)
|
|
setrawcookie($name, $value, $expire, $path, $domain, true, true); // Compliant: the sensitive cookie is protected against theft thanks to the seventh argument set to true (HttpOnly=true)
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
php.ini file: Set the "session.cookie_httponly" property to "true".
|
|
|
|
php files: Set the last argument of "setcookie()" function to "true".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|