From: Tim Starling <tstarling@wikimedia.org>
Date: Thu, 25 Jun 2020 06:03:35 +0000 (+1000)
Subject: In the web installer, use secure session cookies
X-Git-Tag: production~3
X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=b10c41a2947eea81a1b323952c928cda5263f837

In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)
---

diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php
index 8fb980791e..545cc06cae 100644
--- a/includes/installer/WebInstaller.php
+++ b/includes/installer/WebInstaller.php
@@ -341,11 +341,17 @@ class WebInstaller extends Installer {
 			return true;
 		}
 
+		// Use secure cookies if we are on HTTPS
+		$options = [];
+		if ( $this->request->getProtocol() === 'https' ) {
+			$options['cookie_secure'] = '1';
+		}
+
 		$this->phpErrors = [];
 		set_error_handler( [ $this, 'errorHandler' ] );
 		try {
 			session_name( 'mw_installer_session' );
-			session_start();
+			session_start( $options );
 		} catch ( Exception $e ) {
 			restore_error_handler();
 			throw $e;