|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (7 fixed, 35 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (8 fixed, 34 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1370,6 +1370,24 @@
|
|
|
hardening: regenerate the CSRF token on login/logout. (`clear()`
|
|
|
resets `$_SESSION` to `[]` so logout is fine.)
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. `SessionManager::regenerateId()` now also drops
|
|
|
+ the `_csrf` slot on both branches (HTTP `session_regenerate_id(true)`
|
|
|
+ and the CLI `rotateIdUnderCli` fallback). `CsrfMiddleware` lazily
|
|
|
+ mints a fresh token on the next request when the slot is missing,
|
|
|
+ and every call site of `regenerateId()` is followed by a 303 / 302
|
|
|
+ redirect (no template render in the same request), so the next
|
|
|
+ protected GET re-issues a clean token before any state-changing
|
|
|
+ request. `clear()` already wipes `$_SESSION` outright on logout, so
|
|
|
+ the rotate-on-id-rotate hook on `regenerateId` covers the login
|
|
|
+ direction; an attacker who scraped the pre-auth token via Referer
|
|
|
+ or a sub-resource leak cannot replay it post-auth. New `KEY_CSRF`
|
|
|
+ constant on `SessionManager` mirrors `CsrfMiddleware::SESSION_KEY`
|
|
|
+ to avoid a domain → http-layer dependency. Regression tests in
|
|
|
+ `ui/tests/Unit/Auth/SessionManagerTest.php`
|
|
|
+ (`testRegenerateIdRotatesCsrfTokenInCliMode` /
|
|
|
+ `…InHttpMode`) and end-to-end through Slim in
|
|
|
+ `ui/tests/Integration/Auth/LocalLoginTest.php`
|
|
|
+ (`testCsrfTokenIsRotatedAcrossLoginPrivilegeBoundary`).
|
|
|
|
|
|
### F41 — Reporter / consumer `audit_enabled` is mass-assignable via PATCH
|
|
|
- **Files:** `api/src/Application/Admin/ReportersController.php:178-184`,
|
chiappa