Headline
GHSA-745p-r637-7vvp: Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
Impact
Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().
Note This vulnerability does not affect session cookies.
The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.
helper('cookie');
$cookie = [
'name' => $name,
'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);
Patches
Upgrade to v4.2.7 or later.
Workarounds
- Specify the options explicitly.
helper('cookie'); $cookie = [ 'name' => $name, 'value' => $value, 'secure' => true, 'httponly' => true, ]; set_cookie($cookie); // or $this->response->setCookie($cookie); - Use Cookie object.
use CodeIgniter\Cookie\Cookie; helper('cookie'); $cookie = new Cookie($name, $value); set_cookie($cookie); // or $this->response->setCookie($cookie);
References
- https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-39284
Codeigniter4’s Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
Low severity GitHub Reviewed Published Oct 6, 2022 in codeigniter4/CodeIgniter4
Vulnerability details Dependabot alerts 0
Package
composer codeigniter4/framework (Composer)
Affected versions
< 4.2.7
Patched versions
4.2.7
Description
Impact
Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().
Note
This vulnerability does not affect session cookies.
The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.
helper(‘cookie’);
$cookie = [ ‘name’ => $name, ‘value’ => $value, ]; set_cookie($cookie); // or $this->response->setCookie($cookie);
Patches
Upgrade to v4.2.7 or later.
Workarounds
Specify the options explicitly.
helper(‘cookie’);
$cookie = [ ‘name’ => $name, ‘value’ => $value, ‘secure’ => true, ‘httponly’ => true, ]; set_cookie($cookie); // or $this->response->setCookie($cookie);
Use Cookie object.
use CodeIgniter\Cookie\Cookie;
helper(‘cookie’);
$cookie = new Cookie($name, $value); set_cookie($cookie); // or $this->response->setCookie($cookie);
References
- https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
References
- GHSA-745p-r637-7vvp
- codeigniter4/CodeIgniter4#6540
- codeigniter4/CodeIgniter4#6544
MGatner published the maintainer security advisory
Oct 6, 2022
Severity
Low
2.6
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Weaknesses
CWE-665
CVE ID
CVE-2022-39284
GHSA ID
GHSA-745p-r637-7vvp
Source code
codeigniter4/CodeIgniter4
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.