Point808/LobbySIO
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vulnerability mitigation - revert secure cookies by default

Browse Source
This commit is contained in:
Josh North
2021-06-01 10:52:51 -04:00
parent 0a39b60eee
commit c2fb21c570
19 changed files with 106 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
index.php
View File

@@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@@ -83,7 +83,7 @@
require_once("inc/header.inc.php");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
@@ -329,7 +329,7 @@ if (Registry::AUTHMETHOD == 'SAML') {
</div>
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><i class="fas fa-clock"></i></span>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $row['visits_id']; ?>" id="datetimepicker-<?php echo $row['visits_id']; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $row['visits_id']; ?>"/>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $row['visits_id']; ?>" id="datetimepicker-<?php echo $row['visits_id']; ?>" data-bs-toggle="datetimepicker" data-bs-target=".datetimepicker-<?php echo $row['visits_id']; ?>"/>
<script type="text/javascript">
$(function () {
$('.datetimepicker-<?php echo $row['visits_id']; ?>').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss'});
@@ -411,11 +411,11 @@ if (Registry::AUTHMETHOD == 'SAML') {
<button type="submit" name="approvevisit" id="approvevisit-<?php echo $visitid; ?>" value="<?php echo $visitid; ?>" class="btn btn-success btn-block btn-sm"><i class="fas fa-thumbs-up"></i>&nbsp;<?php echo $transLang['APPROVE']; ?></button>
</div>
<div class="input-group input-group-sm mb-0 d-grid gap-2">
<a data-toggle="modal" data-target="#voidModal" data-id="<?php echo $visitid; ?>" href="#voidModal" name="voidvisit" value="<?php echo $visitid; ?>" class="btn btn-danger btn-block btn-sm open-voidModal"><i class="fas fa-thumbs-down"></i>&nbsp;<?php echo $transLang['DECLINE']; ?></a>
<a data-bs-toggle="modal" data-bs-target="#voidModal" data-id="<?php echo $visitid; ?>" href="#voidModal" name="voidvisit" value="<?php echo $visitid; ?>" class="btn btn-danger btn-block btn-sm open-voidModal"><i class="fas fa-thumbs-down"></i>&nbsp;<?php echo $transLang['DECLINE']; ?></a>
</div>
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><i class="fas fa-clock"></i></span>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>" />
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-bs-toggle="datetimepicker" data-bs-target=".datetimepicker-<?php echo $visitid; ?>" />
<script type="text/javascript">
$(function () {
$('.datetimepicker-<?php echo $visitid; ?>').datetimepicker({'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss'});