diff --git a/public/.htaccess b/public/.htaccess index f43ae24..6219c46 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -3,6 +3,10 @@ DirectoryIndex index.php RewriteEngine On +# Paramètres DokuWiki (?do=media, ?do=export_pdf, etc.) — 410 Gone, jamais de contenu ici +RewriteCond %{QUERY_STRING} (^|&)do= [NC] +RewriteRule ^ - [R=410,L] + # Fichiers et répertoires réels servis directement RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d diff --git a/public/index.php b/public/index.php index b1a54dc..e58cdad 100644 --- a/public/index.php +++ b/public/index.php @@ -4,11 +4,16 @@ declare(strict_types=1); define('BASE_PATH', realpath(__DIR__ . '/../')); -if (session_status() === PHP_SESSION_NONE) { +$_sessionName = getenv('SESSION_NAME') ?: 'PHPSESSID'; +if (session_status() === PHP_SESSION_NONE + && (isset($_COOKIE[$_sessionName]) || $_SERVER['REQUEST_METHOD'] === 'POST') +) { $isHttps = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'; + session_name($_sessionName); session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'secure' => $isHttps, 'httponly' => true, 'samesite' => 'Lax']); session_start(); } +unset($_sessionName); require_once BASE_PATH . '/src/helpers.php'; require_once BASE_PATH . '/src/auth.php'; @@ -1888,10 +1893,10 @@ switch ($action) { exit; } - // CSRF - $csrfOk = isset($_POST['_token'], $_SESSION['comment_csrf']) - && hash_equals($_SESSION['comment_csrf'], $_POST['_token']); - unset($_SESSION['comment_csrf']); + // CSRF (double-submit cookie — pas de session requise pour les visiteurs) + $csrfOk = isset($_POST['_token'], $_COOKIE['_csrf_c']) + && hash_equals($_COOKIE['_csrf_c'], $_POST['_token']); + setcookie('_csrf_c', '', ['expires' => time() - 3600, 'path' => '/', 'samesite' => 'Strict', 'httponly' => true]); if (!$csrfOk) { header('Location: /'); exit; diff --git a/public/oidc/callback.php b/public/oidc/callback.php index 25e2251..a538cf6 100644 --- a/public/oidc/callback.php +++ b/public/oidc/callback.php @@ -2,6 +2,9 @@ declare(strict_types=1); +if (!defined('BASE_PATH')) { + define('BASE_PATH', dirname(__DIR__, 2)); +} require_once dirname(__DIR__, 2) . '/vendor/autoload.php'; require_once dirname(__DIR__, 2) . '/config/config.php'; require_once dirname(__DIR__, 2) . '/bootstrap.php'; diff --git a/public/oidc/me.php b/public/oidc/me.php index 87b9708..0d4816f 100644 --- a/public/oidc/me.php +++ b/public/oidc/me.php @@ -4,6 +4,9 @@ // version : 20251005 declare(strict_types=1); +if (!defined('BASE_PATH')) { + define('BASE_PATH', dirname(__DIR__, 2)); +} require_once dirname(__DIR__, 2) . '/vendor/autoload.php'; require_once dirname(__DIR__, 2) . '/config/config.php'; require_once dirname(__DIR__, 2) . '/bootstrap.php'; diff --git a/public/oidc/start.php b/public/oidc/start.php index a09ee50..fb823bd 100644 --- a/public/oidc/start.php +++ b/public/oidc/start.php @@ -2,6 +2,9 @@ declare(strict_types=1); +if (!defined('BASE_PATH')) { + define('BASE_PATH', dirname(__DIR__, 2)); +} require_once dirname(__DIR__, 2) . '/vendor/autoload.php'; require_once dirname(__DIR__, 2) . '/config/config.php'; require_once dirname(__DIR__, 2) . '/bootstrap.php'; diff --git a/templates/comments_section.php b/templates/comments_section.php index e131a8a..f6af609 100644 --- a/templates/comments_section.php +++ b/templates/comments_section.php @@ -15,7 +15,13 @@ $_reactionDefs = [ ]; $_csrfToken = bin2hex(random_bytes(16)); -$_SESSION['comment_csrf'] = $_csrfToken; +setcookie('_csrf_c', $_csrfToken, [ + 'expires' => 0, + 'path' => '/', + 'secure' => !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', + 'httponly' => true, + 'samesite' => 'Strict', +]); ?>