diff -urp orig/includes/bootstrap.inc new/includes/bootstrap.inc --- orig/includes/bootstrap.inc 2008-02-11 06:36:21.000000000 -0800 +++ new/includes/bootstrap.inc 2008-07-30 10:45:07.000000000 -0700 @@ -274,7 +274,7 @@ function conf_init() { global $base_url, $base_path, $base_root; // Export the following settings.php variables to the global namespace - global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; + global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access, $session_cookie_path; $conf = array(); if (file_exists('./'. conf_path() .'/settings.php')) { @@ -311,9 +311,17 @@ function conf_init() { } } + if (!isset($session_cookie_path) || @strlen($session_cookie_path)<1) { + $session_cookie_path=$base_path; + } + + if (strlen($session_cookie_path)<1) { + $session_cookie_path='/'; // default to insecure whole website + } + if ($cookie_domain) { - // If the user specifies the cookie domain, also use it for session name. - $session_name = $cookie_domain; + // If the user specifies the cookie domain + base path, also use it for session name. + $session_name = $cookie_domain.$base_path; } else { // Otherwise use $base_url as session name, without the protocol @@ -331,11 +339,6 @@ function conf_init() { } $cookie_domain = explode(':', $cookie_domain); $cookie_domain = '.'. $cookie_domain[0]; - // Per RFC 2109, cookie domains must contain at least one dot other than the - // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. - if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { - ini_set('session.cookie_domain', $cookie_domain); - } session_name('SESS'. md5($session_name)); } @@ -931,6 +934,7 @@ function drupal_bootstrap($phase) { function _drupal_bootstrap($phase) { global $conf; + global $session_cookie_path, $cookie_domain; switch ($phase) { @@ -972,6 +976,13 @@ function _drupal_bootstrap($phase) { case DRUPAL_BOOTSTRAP_SESSION: require_once variable_get('session_inc', './includes/session.inc'); + // Per RFC 2109, cookie domains must contain at least one dot other than the + // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. + if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { + session_set_cookie_params(session.cookie_lifetime, $session_cookie_path, $cookie_domain); + } else { + session_set_cookie_params(session.cookie_lifetime, $session_cookie_path); + } session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc'); session_start(); break; diff -urp orig/sites/default/default.settings.php new/sites/default/default.settings.php --- orig/sites/default/default.settings.php 2007-12-20 01:35:10.000000000 -0800 +++ new/sites/default/default.settings.php 2008-07-30 10:50:51.000000000 -0700 @@ -158,6 +158,21 @@ ini_set('url_rewriter.tags', ''); # $cookie_domain = 'example.com'; /** + * this is a potential security hole (very weak) -- but still exist! + * if your cookie path is entire site but your drupal instance is down + * in a sub directory, the cookie should limit itself to THAT directory! + * IF NOT, then if anybody else can grab the cookie (say in another directory + * that you don't control), they now have a copy of your cookie and can + * impersonate YOU on your own site! I've tried to explain this to + * the developer at #drupal-dev and -security but they are not getting it! + * This security hole is called session hijacking and can happen at several + * places (client side, on the wire (during routing), and at the server). + * this patch fixes the obvious hole at the server. -- dx9s + */ + +# $session_cookie_path='/'; // can override having drupal figure this out + +/** * Variable overrides: * * To override specific entries in the 'variable' table for this site,