From b10c41a2947eea81a1b323952c928cda5263f837 Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@wikimedia.org>
Date: Thu, 25 Jun 2020 16:03:35 +1000
Subject: [PATCH] In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)
---
 includes/installer/WebInstaller.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php
index 8fb980791e..545cc06cae 100644
--- a/includes/installer/WebInstaller.php
+++ b/includes/installer/WebInstaller.php
@@ -341,11 +341,17 @@ class WebInstaller extends Installer {
 			return true;
 		}
 
+		// Use secure cookies if we are on HTTPS
+		$options = [];
+		if ( $this->request->getProtocol() === 'https' ) {
+			$options['cookie_secure'] = '1';
+		}
+
 		$this->phpErrors = [];
 		set_error_handler( [ $this, 'errorHandler' ] );
 		try {
 			session_name( 'mw_installer_session' );
-			session_start();
+			session_start( $options );
 		} catch ( Exception $e ) {
 			restore_error_handler();
 			throw $e;
-- 
2.20.1