From fe5342038dde85166a04f97e398f73f235cccf1e Mon Sep 17 00:00:00 2001
From: Arcturus <github@drk.st>
Date: Sat, 5 Oct 2024 05:51:05 +0900
Subject: [PATCH] patch secure:
 https://github.com/gnuboard/gnuboard5/commit/c869f29f0d58ddc49d0921bb5eba137ed9175f0b

---
 AvocadoEdition_Light/common.php                   |  7 ++++++-
 AvocadoEdition_Light/lib/common.lib.php           | 15 +++++++++++++--
 .../skin/member/basic/login.skin.php              |  9 ++++-----
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/AvocadoEdition_Light/common.php b/AvocadoEdition_Light/common.php
index 9494a64..068ac3e 100644
--- a/AvocadoEdition_Light/common.php
+++ b/AvocadoEdition_Light/common.php
@@ -401,7 +401,12 @@ ini_set("session.gc_maxlifetime", 10800); // session data의 garbage collection
 ini_set("session.gc_probability", 1); // session.gc_probability는 session.gc_divisor와 연계하여 gc(쓰레기 수거) 루틴의 시작 확률을 관리합니다. 기본값은 1입니다. 자세한 내용은 session.gc_divisor를 참고하십시오.
 ini_set("session.gc_divisor", 100); // session.gc_divisor는 session.gc_probability와 결합하여 각 세션 초기화 시에 gc(쓰레기 수거) 프로세스를 시작할 확률을 정의합니다. 확률은 gc_probability/gc_divisor를 사용하여 계산합니다. 즉, 1/100은 각 요청시에 GC 프로세스를 시작할 확률이 1%입니다. session.gc_divisor의 기본값은 100입니다.
 
-session_set_cookie_params(0, '/', null, false, true);
+if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+  session_set_cookie_params(0, '/', null, true, true);
+} else {
+  session_set_cookie_params(0, '/', null, false, true);
+}
+
 ini_set("session.cookie_domain", G5_COOKIE_DOMAIN);
 
 @session_start();
diff --git a/AvocadoEdition_Light/lib/common.lib.php b/AvocadoEdition_Light/lib/common.lib.php
index a8dfc5a..4e5def3 100644
--- a/AvocadoEdition_Light/lib/common.lib.php
+++ b/AvocadoEdition_Light/lib/common.lib.php
@@ -140,11 +140,22 @@ function get_session($session_name)
 
 
 // 쿠키변수 생성
-function set_cookie($cookie_name, $value, $expire)
+function set_cookie($cookie_name, $value, $expire, $path = '/', $domain = G5_COOKIE_DOMAIN, $secure = false, $httponly = true)
 {
   global $g5;
 
-  setcookie(md5($cookie_name), base64_encode($value), G5_SERVER_TIME + $expire, '/', G5_COOKIE_DOMAIN);
+  $c = run_replace('set_cookie_params', [
+    'path' => $path,
+    'domain' => $domain,
+    'secure' => $secure,
+    'httponly' => $httponly
+  ], $cookie_name);
+
+  if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+    $c['secure'] = true;
+  }
+
+  setcookie(md5($cookie_name), base64_encode($value), G5_SERVER_TIME + $expire, $c['path'], $c['domain'], $c['secure'], $c['httponly']);
 }
 
 
diff --git a/AvocadoEdition_Light/skin/member/basic/login.skin.php b/AvocadoEdition_Light/skin/member/basic/login.skin.php
index c30b86a..8c6c364 100644
--- a/AvocadoEdition_Light/skin/member/basic/login.skin.php
+++ b/AvocadoEdition_Light/skin/member/basic/login.skin.php
@@ -2,19 +2,17 @@
 if (!defined('_GNUBOARD_'))
   exit; // 개별 페이지 접근 불가
 if (strstr($url, 'adm')) {
-  include_once($member_skin_path . '/login.admin.skin.php');
+  include_once $member_skin_path . '/login.admin.skin.php';
 } else {
-
   add_stylesheet('<link rel="stylesheet" href="' . G5_CSS_URL . '/login.css">', 0);
 
-
   /*********** Logo Data ************/
   $logo = get_logo();
   $m_logo = get_logo();
 
   $logo_data = "";
   if ($logo)
-    $logo_data .= "<img src='" . $logo . "' />";
+    $logo_data .= "<img src='{$logo}' />";
   /*********************************/
   ?>
   <div class="loginWrap">
@@ -52,4 +50,5 @@ if (strstr($url, 'adm')) {
     }
   </script>
   <!-- } 로그인 끝 -->
-<?php } ?>
+<?php
+}