From 1dc8b24665bfe65ef6696468235f5698e4195899 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Fri, 16 Apr 2021 20:15:12 +0200 Subject: [PATCH] transmit cookie only over HTTPS, fixes #472 --- CHANGELOG.md | 1 + js/privatebin.js | 2 +- lib/Controller.php | 4 ++-- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7276c84..00f5f21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ * **1.4 (not yet released)** * ADDED: Translation for Estonian * ADDED: new HTTP headers improving security (#765) + * CHANGED: Language selection cookie only transmitted over HTTPS (#472) * **1.3.5 (2021-04-05)** * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan * ADDED: Make the project info configurable (#681) diff --git a/js/privatebin.js b/js/privatebin.js index e549dd6..0519970 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -3676,7 +3676,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { */ function setLanguage(event) { - document.cookie = 'lang=' + $(event.target).data('lang'); + document.cookie = 'lang=' + $(event.target).data('lang') + ';secure'; UiHelper.reloadHome(); } diff --git a/lib/Controller.php b/lib/Controller.php index bc23a52..5b81cd8 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -170,7 +170,7 @@ class Controller // force default language, if language selection is disabled and a default is set if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) { $_COOKIE['lang'] = $lang; - setcookie('lang', $lang); + setcookie('lang', $lang, 0, '', '', true); } } @@ -367,7 +367,7 @@ class Controller $languageselection = ''; if ($this->_conf->getKey('languageselection')) { $languageselection = I18n::getLanguage(); - setcookie('lang', $languageselection); + setcookie('lang', $languageselection, 0, '', '', true); } $page = new View; diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index ffea872..f8f9444 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,7 +72,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index e58617d..a227232 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - +