PM-2039 "Las cookies de sesion no se ha definido con el flag..." SOLVED

Issue: Las cookies de sesion no se ha definido con el flag HttpOnly esta debe definirse para mitigar ataques de tipo cross-site scripting. Cause: No se a definido el parametro "httponly" al momento de usar la funcion "setcookie" Solution: Se define el parametro "httponly" al momento de usar la funcion "setcookie"
2015-04-13 11:59:47 -04:00
parent cffa3f095d
commit 2545468c19
7 changed files with 29 additions and 18 deletions
--- a/workflow/engine/classes/model/DashletInstance.php
+++ b/workflow/engine/classes/model/DashletInstance.php
@@ -18,7 +18,7 @@ class DashletInstance extends BaseDashletInstance
 {
    private $filterThisFields = array('DAS_INS_UID', 'DAS_UID', 'DAS_INS_OWNER_TYPE', 'DAS_INS_OWNER_UID',
                                    'DAS_INS_CREATE_DATE', 'DAS_INS_UPDATE_DATE', 'DAS_INS_STATUS',
-                                    'pmos_generik', 'ys-admin-tabpanel', 'PHPSESSID');
+                                    "pm_sys_sys", "ys-admin-tabpanel", "PHPSESSID");

    public function load($dasInsUid)
    {
--- a/workflow/engine/classes/triggers/api/class.zimbraApi.php
+++ b/workflow/engine/classes/triggers/api/class.zimbraApi.php
@@ -77,7 +77,11 @@ class Zimbra
    public function sso($options = '')
    {
        if ($this->_username) {
-            setcookie('ZM_SKIN', 'plymouth', time() + 60 * 60 * 24 * 30, '/', '.plymouth.edu');
+            if (PHP_VERSION < 5.2) {
+                setcookie("ZM_SKIN", "plymouth", time() + (60 * 60 * 24 * 30), "/", ".plymouth.edu");
+            } else {
+                setcookie("ZM_SKIN", "plymouth", time() + (60 * 60 * 24 * 30), "/", ".plymouth.edu", false, true);
+            }

            $pre_auth = $this->getPreAuth($this->_username);
            $url = $this->_protocol . '/service/preauth?account=' . $this->_username . '@' . $this->_server . '&expires=' . $this->_preauth_expiration . '&timestamp=' . $this->_timestamp . '&preauth=' . $pre_auth; //.'&'.$options;
@@ -828,7 +832,7 @@ class Zimbra
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
-        
+
        if (!$connecting && !$this->_connected) {
            throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
        }
--- a/workflow/engine/methods/login/login.php
+++ b/workflow/engine/methods/login/login.php
@@ -125,7 +125,11 @@ if (isset ($_SESSION['USER_LOGGED'])) {
 session_start();
 session_regenerate_id();

-setcookie("workspaceSkin", SYS_SKIN, time() + 24*60*60, "/sys".SYS_SYS);
+if (PHP_VERSION < 5.2) {
+    setcookie("workspaceSkin", SYS_SKIN, time() + (24 * 60 * 60), "/sys" . SYS_SYS, "; HttpOnly");
+} else {
+    setcookie("workspaceSkin", SYS_SKIN, time() + (24 * 60 * 60), "/sys" . SYS_SYS, null, false, true);
+}

 if (strlen($msg) > 0) {
    $_SESSION['G_MESSAGE'] = $msg;
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
@@ -555,7 +555,7 @@ class Light
        session_start();
        session_regenerate_id();

-        setcookie("workspaceSkin", SYS_SKIN, time() + 24*60*60, "/sys".SYS_SYS);
+        setcookie("workspaceSkin", SYS_SKIN, time() + (24 * 60 * 60), "/sys" . SYS_SYS, null, false, true);

        if (strlen($msg) > 0) {
            $_SESSION['G_MESSAGE'] = $msg;
@@ -811,3 +811,4 @@ class Light
        return $response;
    }
 }
+
--- a/workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
+++ b/workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
@@ -356,7 +356,7 @@ class Server implements iAuthenticate
                    $lifetime = 1440;
                }

-                setcookie($session->getSessionName(), $_COOKIE[$session->getSessionName()], time() + $lifetime, "/");
+                setcookie($session->getSessionName(), $_COOKIE[$session->getSessionName()], time() + $lifetime, "/", null, false, true);
            }
        }

--- a/workflow/engine/xmlform/login/sysLogin.xml
+++ b/workflow/engine/xmlform/login/sysLogin.xml
@@ -26,8 +26,7 @@ SELECT LANG_ID, LANG_NAME FROM langOptions
 setFocus (getField ('USR_USERNAME'));

 leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function() {
-    ws = getField('USER_ENV').value;
-    createCookie('pmos_generik2', '{"ws":"'+ws+'"}', 365);
+    createCookie("pm_sys_sys", "{\"sys_sys\": \"" + getField("USER_ENV").value + "\"}", 365);

    var client = getBrowserClient();
    if (client.browser == "msie" || client.browser == "safari"){
@@ -36,12 +35,14 @@ leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function()
 }.extend(document.getElementById('form[BSUBMIT]')));

 try{
-    c = new String(readCookie('pmos_generik2'));
-    o = eval("("+c+")");
-    if( o != null){
-        getField('USER_ENV').value = o.ws;
+    var s = new String(readCookie("pm_sys_sys"));
+    var obj = eval("(" + s + ")");
+
+    if (obj != null) {
+        getField("USER_ENV").value = obj.sys_sys;
    }
 } catch(e){}

 ]]></JS>
 </dynaForm>
+
--- a/workflow/engine/xmlform/login/sysLoginNoWS.xml
+++ b/workflow/engine/xmlform/login/sysLoginNoWS.xml
@@ -28,8 +28,7 @@ SELECT LANG_ID, LANG_NAME FROM langOptions
 setFocus (getField ('USR_USERNAME'));

 leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function() {
-    ws = getField('USER_ENV').value;
-    createCookie('pmos_generik2', '{"ws":"'+ws+'"}', 365);
+    createCookie("pm_sys_sys", "{\"sys_sys\": \"" + getField("USER_ENV").value + "\"}", 365);

    /*
    var client = getBrowserClient();
@@ -45,12 +44,14 @@ leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function()
 }.extend(document.getElementById('form[BSUBMIT]')));

 try{
-    c = new String(readCookie('pmos_generik2'));
-    o = eval("("+c+")");
-    if( o != null){
-        getField('USER_ENV').value = o.ws;
+    var s = new String(readCookie("pm_sys_sys"));
+    var obj = eval("(" + s + ")");
+
+    if (obj != null) {
+        getField("USER_ENV").value = obj.sys_sys;
    }
 } catch(e){}

 ]]></JS>
 </dynaForm>
+