merge 2755 and 2756 from branch 2.0 to trunk

- 2755 fix vulnerability http://www.milw0rm.com/exploits/6755
- 2756 security paranoia: protect session/remember me cookies from XSS attacks (works only if php>=5.2 and with IE/FF maybe others)


git-svn-id: http://piwigo.org/svn/trunk@2757 68402e56-0260-453c-a942-63ccdbb3a9ee

comments.php

@@ -65,7 +65,7 @@ $page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
 //
 $page['sort_by'] = 'date';
 // if the form was submitted, it overloads default behaviour
-if (isset($_GET['sort_by']))
+if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
 {
   $page['sort_by'] = $_GET['sort_by'];
 }
@@ -74,7 +74,7 @@ if (isset($_GET['sort_by']))
 //
 $page['sort_order'] = 'DESC';
 // if the form was submitted, it overloads default behaviour
-if (isset($_GET['sort_order']))
+if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
 {
   $page['sort_order'] = $_GET['sort_order'];
 }

include/functions_session.inc.php

@@ -66,6 +66,7 @@ if (isset($conf['session_save_handler'])
     ini_set('session.use_cookies', $conf['session_use_cookies']);
     ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
     ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
+    ini_set('session.cookie_httponly', 1);
   }
   session_name($conf['session_name']);
   session_set_cookie_params(0, cookie_path());
@@ -227,4 +228,4 @@ function pwg_unset_session_var($var)
   return true;
 }
 
-?>
+?>

include/functions_user.inc.php

@@ -1013,16 +1013,28 @@ function log_user($user_id, $remember_me)
     if ($key!==false)
     {
       $cookie = $user_id.'-'.$now.'-'.$key;
-      setcookie($conf['remember_me_name'],
+      if (version_compare(PHP_VERSION, '5.2', '>=') )
+      {
+        setcookie($conf['remember_me_name'],
             $cookie,
             time()+$conf['remember_me_length'],
-            cookie_path()
+            cookie_path(),ini_get('session.cookie_domain'),ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly')
           );
+      }
+      else
+      {
+        setcookie($conf['remember_me_name'],
+            $cookie,
+            time()+$conf['remember_me_length'],
+            cookie_path(),ini_get('session.cookie_domain'),ini_get('session.cookie_secure')
+          );
+      }
     }
   }
   else
   { // make sure we clean any remember me ...
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
   }
   if ( session_id()!="" )
   { // we regenerate the session for security reasons
@@ -1062,7 +1074,7 @@ function auto_login() {
         return true;
       }
     }
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
   }
   return false;
 }
@@ -1092,6 +1104,20 @@ SELECT '.$conf['user_fields']['id'].' AS id,
   return false;
 }
 
+/** Performs all the cleanup on user logout */
+function logout_user()
+{
+  global $conf;
+  $_SESSION = array();
+  session_unset();
+  session_destroy();
+  setcookie(session_name(),'',0,
+      ini_get('session.cookie_path'),
+      ini_get('session.cookie_domain')
+    );
+  setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
+}
+
 /*
  * Return user status used in this library
  * @return string

include/user.inc.php

@@ -29,14 +29,7 @@ if (isset($_COOKIE[session_name()]))
   session_start();
   if (isset($_GET['act']) and $_GET['act'] == 'logout')
   { // logout
-    $_SESSION = array();
-    session_unset();
-    session_destroy();
-    setcookie(session_name(),'',0,
-        ini_get('session.cookie_path'),
-        ini_get('session.cookie_domain')
-      );
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    logout_user();
     redirect(make_index_url());
   }
   elseif (!empty($_SESSION['pwg_uid']))

include/ws_functions.inc.php

@@ -1187,17 +1187,9 @@ function ws_session_login($params, &$service)
  */
 function ws_session_logout($params, &$service)
 {
-  global $user, $conf;
   if (!is_a_guest())
   {
-    $_SESSION = array();
-    session_unset();
-    session_destroy();
-    setcookie(session_name(),'',0,
-        ini_get('session.cookie_path'),
-        ini_get('session.cookie_domain')
-      );
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    logout_user();
   }
   return true;
 }
@@ -1435,7 +1427,7 @@ function ws_categories_add($params, &$service)
   }
 
   invalidate_user_cache();
-  
+
   return $creation_output;
 }
 
@@ -1473,18 +1465,18 @@ function ws_images_exist($params, &$service)
     -1,
     PREG_SPLIT_NO_EMPTY
     );
-  
+
   $query = '
 SELECT
     id,
     md5sum
   FROM '.IMAGES_TABLE.'
-  WHERE md5sum IN (\''.implode("','", $md5sums).'\')  
+  WHERE md5sum IN (\''.implode("','", $md5sums).'\')
 ;';
   $id_of_md5 = simple_hash_from_query($query, 'md5sum', 'id');
 
   $result = array();
-  
+
   foreach ($md5sums as $md5sum)
   {
     $result[$md5sum] = null;

plugins/event_tracer/event_list.php

@@ -16,7 +16,7 @@ function get_php_files($path, $to_ignore=array(), $recursive=true )
           if ( $recursive and is_dir($path.'/'.$node) )
           {
             $files = array_merge($files, get_php_files($path.'/'.$node, $to_ignore));
-            
+
           }
           if ( is_file($path.'/'.$node) )
           {
@@ -43,7 +43,7 @@ foreach ($files as $file)
   $code = preg_replace( '#\?'.'>.*<\?php#m', '', $code);
   $code = preg_replace( '#\/\*.*\*\/#m', '', $code);
   $code = preg_replace( '#\/\/.*#', '', $code);
-  
+
   $count = preg_match_all(
     '#[^a-zA-Z_$-]trigger_(action|event)\s*\(\s*([^,)]+)#m',
     $code, $matches
@@ -57,7 +57,7 @@ foreach ($files as $file)
   }
 }
 
-$sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
+$sort= isset($_GET['sort']) ? (int)$_GET['sort'] : 1;
 usort(
   $events,
   create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )