In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)

diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php
index 8fb9807..545cc06 100644 (file)
--- a/includes/installer/WebInstaller.php
+++ b/includes/installer/WebInstaller.php
@@ -341,11 +341,17 @@ class WebInstaller extends Installer {
                        return true;
                }
 
+               // Use secure cookies if we are on HTTPS
+               $options = [];
+               if ( $this->request->getProtocol() === 'https' ) {
+                       $options['cookie_secure'] = '1';
+               }
+
                $this->phpErrors = [];
                set_error_handler( [ $this, 'errorHandler' ] );
                try {
                        session_name( 'mw_installer_session' );
-                       session_start();
+                       session_start( $options );
                } catch ( Exception $e ) {
                        restore_error_handler();
                        throw $e;