Implement anti csrf measures

This is done by using the "samesite" cookie attribute.
author: xXx-caillou-xXx 2017-11-24 14:03:37 +0100
committer: jvoisin 2017-11-24 14:03:37 +0100
commit: 5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree: 8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /src/sp_config_keywords.c
parent: 79304a29661476dc75bba07c5a83133122bbcb5c (diff)
1 files changed, 37 insertions, 16 deletions
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index 34b855a..077d78f 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -105,12 +105,16 @@ int parse_global(char *line) {
  return parse_keywords(sp_config_funcs_global, line);
 }
-int parse_cookie_encryption(char *line) {
+int parse_cookie(char *line) {
  int ret = 0;
-  char *name = NULL;
+  char *samesite = NULL, *name = NULL;
+  sp_cookie *cookie = pecalloc(sizeof(sp_cookie), 1, 1);
+  zend_string *zend_name;
  sp_config_functions sp_config_funcs_cookie_encryption[] = {
      {parse_str, SP_TOKEN_NAME, &name},
+      {parse_str, SP_TOKEN_SAMESITE, &samesite},
+      {parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},
      {0}};
  ret = parse_keywords(sp_config_funcs_cookie_encryption, line);
@@ -118,25 +122,42 @@ int parse_cookie_encryption(char *line) {
    return ret;
  }
-  if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->cookies_env_var)) {
+  if (cookie->encrypt) {
-    sp_log_err("config", "You're trying to use the cookie encryption feature"
+    if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->cookies_env_var)) {
-      "on line %zu without having set the `.cookie_env_var` option in"
+      sp_log_err("config", "You're trying to use the cookie encryption feature"
-      "`sp.global`: please set it first.", sp_line_no);
+        "on line %zu without having set the `.cookie_env_var` option in"
-    return -1;
+        "`sp.global`: please set it first.", sp_line_no);
-  } else if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) {
+      return -1;
-    sp_log_err("config", "You're trying to use the cookie encryption feature"
+    } else if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) {
-      "on line %zu without having set the `.encryption_key` option in"
+      sp_log_err("config", "You're trying to use the cookie encryption feature"
-      "`sp.global`: please set it first.", sp_line_no);
+        "on line %zu without having set the `.encryption_key` option in"
+        "`sp.global`: please set it first.", sp_line_no);
+      return -1;
+    }
+  } else if (!samesite) {
+    sp_log_err("config", "You must specify a at least one action to a cookie on line "
+      "%zu.", sp_line_no);
    return -1;
-  } else if (0 == strlen(name)) {
+  }
-    sp_log_err("config", "You must specify a cookie name to encrypt on line "
+  if (0 == strlen(name)) {
+    sp_log_err("config", "You must specify a cookie name on line "
      "%zu.", sp_line_no);
    return -1;
  }
+  if (samesite) {
+    if (0 == strcasecmp(samesite, SP_TOKEN_SAMESITE_LAX)) {
+      cookie->samesite = lax;
+    } else if (0 == strcasecmp(samesite, SP_TOKEN_SAMESITE_STRICT)) {
+      cookie->samesite = strict;
+    } else {
+      sp_log_err("config", "%s is an invalid value to samesite (expected %s or %s) on line "
+        "%zu.", samesite, SP_TOKEN_SAMESITE_LAX, SP_TOKEN_SAMESITE_STRICT, sp_line_no);
+      return -1;
+    }
+  }
-  zend_hash_str_add_empty_element(
+  zend_name = zend_string_init(name, strlen(name), 1);
-      SNUFFLEUPAGUS_G(config).config_cookie_encryption->names, name,
+  zend_hash_add_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, zend_name, cookie);
-      strlen(name));
  return SUCCESS;
 }
author	xXx-caillou-xXx	2017-11-24 14:03:37 +0100
committer	jvoisin	2017-11-24 14:03:37 +0100
commit	5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree	8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /src/sp_config_keywords.c
parent	79304a29661476dc75bba07c5a83133122bbcb5c (diff)