Merge pull request dokuwiki#3994 from dokuwiki/cookie

Set SameSite=Lax Cookie Attribute and Upgrade Requirements to PHP 7.4

Author: splitbrain

.github/workflows/testLinux.yml

@@ -18,7 +18,7 @@ jobs:
 
         strategy:
             matrix:
-                php-versions: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+                php-versions: ['7.4', '8.0', '8.1', '8.2']
             fail-fast: false
 
         services:

.github/workflows/testWindows.yml

@@ -18,7 +18,7 @@ jobs:
 
         strategy:
             matrix:
-                php-versions: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+                php-versions: ['7.4', '8.0', '8.1', '8.2']
             fail-fast: false
 
         steps:

_test/fetchphpunit.php

@@ -8,8 +8,8 @@
 print "Running PHP $phpVersion\n";
 
 
-if(version_compare($phpVersion, '7.2') < 0) {
-    echo 'we no longer support PHP versions < 7.2 and thus do not support tests on them';
+if(version_compare($phpVersion, '7.4') < 0) {
+    echo 'we no longer support PHP versions < 7.4 and thus do not support tests on them';
     exit(1);
 }
 

composer.json

@@ -5,7 +5,7 @@
     "type": "project",
     "license": "GPL v2",
     "require": {
-        "php": ">=7.2",
+        "php": ">=7.4",
         "ext-json": "*",
         "splitbrain/php-archive": "~1.0",
         "phpseclib/phpseclib": "~2.0",
@@ -21,7 +21,7 @@
     },
     "config": {
         "platform": {
-            "php": "7.2"
+            "php": "7.4"
         }
     },
     "suggest": {

composer.lock

@@ -64,6 +64,7 @@
 $conf['disableactions'] = '';            //comma separated list of actions to disable
 $conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
 $conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
+$conf['samesitecookie'] = 'Lax';         //SameSite attribute for cookies (Lax|Strict|None|Empty)
 $conf['remote']      = 0;                //Enable/disable remote interfaces
 $conf['remoteuser']  = '!!not set!!';    //user/groups that have access to remote interface (comma separated). leave empty to allow all users
 $conf['remotecors']  = '';               //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.

conf/dokuwiki.php

@@ -429,7 +429,13 @@ function auth_logoff($keepbc = false) {
     $USERINFO = null; //FIXME
 
     $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
-    setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
+    setcookie(DOKU_COOKIE, '', [
+        'expires' => time() - 600000,
+        'path' => $cookieDir,
+        'secure' => ($conf['securecookie'] && is_ssl()),
+        'httponly' => true,
+        'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
+    ]);
 
     if($auth) $auth->logOff();
 }
@@ -1256,7 +1262,13 @@ function auth_setCookie($user, $pass, $sticky) {
     $cookie    = base64_encode($user).'|'.((int) $sticky).'|'.base64_encode($pass);
     $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
     $time      = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year
-    setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
+    setcookie(DOKU_COOKIE, $cookie, [
+        'expires' => $time,
+        'path' => $cookieDir,
+        'secure' => ($conf['securecookie'] && is_ssl()),
+        'httponly' => true,
+        'samesite' => $conf['samesitecookie'] ?: null, // null means browser default
+    ]);
 
     // set session
     $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;

inc/auth.php

@@ -743,17 +743,10 @@ function checkwordblock($text = '') {
     // phpcs:enable
 
     $wordblocks = getWordblocks();
-    // how many lines to read at once (to work around some PCRE limits)
-    if(version_compare(phpversion(), '4.3.0', '<')) {
-        // old versions of PCRE define a maximum of parenthesises even if no
-        // backreferences are used - the maximum is 99
-        // this is very bad performancewise and may even be too high still
-        $chunksize = 40;
-    } else {
-        // read file in chunks of 200 - this should work around the
-        // MAX_PATTERN_SIZE in modern PCRE
-        $chunksize = 200;
-    }
+    // read file in chunks of 200 - this should work around the
+    // MAX_PATTERN_SIZE in modern PCRE
+    $chunksize = 200;
+
     while($blocks = array_splice($wordblocks, 0, $chunksize)) {
         $re = array();
         // build regexp from blocks
@@ -1952,7 +1945,12 @@ function set_doku_pref($pref, $val) {
     if(defined('DOKU_UNITTEST')) {
         $_COOKIE['DOKU_PREFS'] = $cookieVal;
     }else{
-        setcookie('DOKU_PREFS', $cookieVal, time()+365*24*3600, $cookieDir, '', ($conf['securecookie'] && is_ssl()));
+        setcookie('DOKU_PREFS', $cookieVal, [
+            'expires' => time() + 365 * 24 * 3600,
+            'path' => $cookieDir,
+            'secure' => ($conf['securecookie'] && is_ssl()),
+            'samesite' => 'Lax'
+        ]);
     }
 }
 

inc/common.php

@@ -155,13 +155,13 @@ function check(){
     if ($INFO['isadmin'] || $INFO['ismanager']){
         msg('DokuWiki version: '.getVersion(),1);
 
-        if(version_compare(phpversion(),'7.2.0','<')){
-            msg('Your PHP version is too old ('.phpversion().' vs. 7.2+ needed)',-1);
+        if(version_compare(phpversion(),'7.4.0','<')){
+            msg('Your PHP version is too old ('.phpversion().' vs. 7.4+ needed)',-1);
         }else{
             msg('PHP version '.phpversion(),1);
         }
     } else {
-        if(version_compare(phpversion(),'7.2.0','<')){
+        if(version_compare(phpversion(),'7.4.0','<')){
             msg('Your PHP version is too old',-1);
         }
     }

inc/infoutils.php

@@ -249,13 +249,14 @@ function_exists('ob_gzhandler') &&
 function init_session() {
     global $conf;
     session_name(DOKU_SESSION_NAME);
-    session_set_cookie_params(
-        DOKU_SESSION_LIFETIME,
-        DOKU_SESSION_PATH,
-        DOKU_SESSION_DOMAIN,
-        ($conf['securecookie'] && is_ssl()),
-        true
-    );
+    session_set_cookie_params([
+        'lifetime' => DOKU_SESSION_LIFETIME,
+        'path' => DOKU_SESSION_PATH,
+        'domain' => DOKU_SESSION_DOMAIN,
+        'secure' => ($conf['securecookie'] && is_ssl()),
+        'httponly' => true,
+        'samesite' => 'Lax',
+    ]);
 
     // make sure the session cookie contains a valid session ID
     if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{22,256}$/', $_COOKIE[DOKU_SESSION_NAME])) {

inc/init.php

@@ -574,8 +574,8 @@ function check_functions()
     global $lang;
     $ok = true;
 
-    if (version_compare(phpversion(), '5.6.0', '<')) {
-        $error[] = sprintf($lang['i_phpver'], phpversion(), '5.6.0');
+    if (version_compare(phpversion(), '7.4.0', '<')) {
+        $error[] = sprintf($lang['i_phpver'], phpversion(), '7.4.0');
         $ok = false;
     }
 

install.php

@@ -106,6 +106,7 @@
 $lang['disableactions_rss'] = 'XML Syndication (RSS)';
 $lang['auth_security_timeout'] = 'Authentication Security Timeout (seconds)';
 $lang['securecookie'] = 'Should cookies set via HTTPS only be sent via HTTPS by the browser? Disable this option when only the login of your wiki is secured with SSL but browsing the wiki is done unsecured.';
+$lang['samesitecookie'] = 'The samesite cookie attribute to use. Leaving it empty will let the browser decide on the samesite policy.';
 $lang['remote']      = 'Enable the remote API system. This allows other applications to access the wiki via XML-RPC or other mechanisms.';
 $lang['remoteuser']  = 'Restrict remote API access to the comma separated groups or users given here. Leave empty to give access to everyone.';
 $lang['remotecors']  = 'Enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. Leave empty to deny CORS.';

lib/plugins/config/lang/en/lang.php

@@ -158,6 +158,7 @@
 );
 $meta['auth_security_timeout'] = array('numeric');
 $meta['securecookie'] = array('onoff');
+$meta['samesitecookie'] = array('multichoice','_choices' => array('','Lax','Strict','None'));
 $meta['remote']       = array('onoff','_caution' => 'security');
 $meta['remoteuser']   = array('string');
 $meta['remotecors']   = array('string', '_caution' => 'security');

lib/plugins/config/settings/config.metadata.php

@@ -14,5 +14,6 @@
     'splitbrain\\JSStrip\\' => array($vendorDir . '/splitbrain/php-jsstrip/src'),
     'phpseclib\\' => array($vendorDir . '/phpseclib/phpseclib/phpseclib'),
     'SimplePie\\' => array($vendorDir . '/simplepie/simplepie/src'),
+    'IXR\\tests\\' => array($vendorDir . '/kissifrot/php-ixr/tests'),
     'IXR\\' => array($vendorDir . '/kissifrot/php-ixr/src'),
 );

vendor/composer/autoload_psr4.php

@@ -31,6 +31,7 @@ class ComposerStaticInita19a915ee98347a0c787119619d2ff9b
         ),
         'I' => 
         array (
+            'IXR\\tests\\' => 10,
             'IXR\\' => 4,
         ),
     );
@@ -68,6 +69,10 @@ class ComposerStaticInita19a915ee98347a0c787119619d2ff9b
         array (
             0 => __DIR__ . '/..' . '/simplepie/simplepie/src',
         ),
+        'IXR\\tests\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/kissifrot/php-ixr/tests',
+        ),
         'IXR\\' => 
         array (
             0 => __DIR__ . '/..' . '/kissifrot/php-ixr/src',