Merge pull request #746 from Zankaria/secure-login-triple

Rework secure_login_only configuration option to allow secure default and header checking
2024-11-23 23:20:57 +01:00 · 2024-05-16 00:55:16 -07:00 · 2024-05-16 00:55:16 -07:00 · 7899476323
commit 7899476323
parent feb2860d9e d700aa0522
4 changed files with 18 additions and 14 deletions
--- a/inc/config.php
+++ b/inc/config.php
@ -194,8 +194,13 @@
 	// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
 	$config['cookies']['httponly'] = true;

-	// Do not allow logins via unencrypted HTTP. If your website uses HTTPS, turn this on.
-	$config['cookies']['secure_login_only'] = false;
+	// Do not allow logins via unsecure connections.
+	// 0 = off. Allow logins on unencrypted HTTP connections. Should only be used in testing environments.
+	// 1 = on, trust HTTP headers. Allow logins on (at least reportedly partial) HTTPS connections. Use this only if you
+	// use a proxy, CDN or load balancer via an unencrypted connection. Be sure to filter 'HTTP_X_FORWARDED_PROTO' in
+	// the remote server, since an attacker could inject the header from the client.
+	// 2 = on, do not trust HTTP headers. Secure default, allow logins only on HTTPS connections.
+	$config['cookies']['secure_login_only'] = 2;

 	// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
 	$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
--- a/inc/functions/net.php
+++ b/inc/functions/net.php
@ -3,16 +3,14 @@ namespace Vichan\Functions\Net;


 /**
+ * @param bool $trust_headers. If true, trust the `HTTP_X_FORWARDED_PROTO` header to check if the connection is HTTPS.
 * @return bool Returns if the client-server connection is an encrypted one (HTTPS).
 */
-function is_connection_secure(): bool {
-    if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
-        return true;
-    }
-    elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
-        return true;
-    }
-    else {
+function is_connection_secure(bool $trust_headers): bool {
+	if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+		return true;
+	} elseif ($trust_headers && isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
+		return true;
+	}
 	return false;
-    }
 }
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@ -118,7 +118,7 @@ function setCookies(): void {
 		error('setCookies() was called for a non-moderator!');
 	}

-	$is_https = Net\is_connection_secure();
+	$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
 	$is_path_jailed = $config['cookies']['jail'];
 	$name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);

@ -235,7 +235,7 @@ function make_secure_link_token(string $uri): string {
 function check_login(bool $prompt = false): void {
 	global $config, $mod;

-	$is_https = Net\is_connection_secure();
+	$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
 	$is_path_jailed = $config['cookies']['jail'];
 	$expected_cookie_name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);

--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@ -35,7 +35,8 @@ function mod_login($redirect = false) {

 	$args = [];

-	if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
+	$secure_login_mode = $config['cookies']['secure_login_only'];
+	if ($secure_login_mode !== 0 && !Net\is_connection_secure($secure_login_mode === 1)) {
 		$args['error'] = $config['error']['insecure'];
 	} elseif (isset($_POST['login'])) {
 		// Check if inputs are set and not empty