From 783c6905dda24277fa66161fe9bb2f19d5b3535a Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 21 Jan 2025 13:19:21 +0000 Subject: [PATCH] Security: Set the HttpOnly flag for the test cookie and the `wp_lang` cookie on the login screen. These cookies are only accessed server-side and don't need to be exposed to JavaScript in the browser. Props earthman100, kevinlearynet Fixes #61322 Built from https://develop.svn.wordpress.org/trunk@59671 git-svn-id: http://core.svn.wordpress.org/trunk@59014 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/version.php | 2 +- wp-login.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/wp-includes/version.php b/wp-includes/version.php index b8045579e0..82d0150bdb 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.8-alpha-59670'; +$wp_version = '6.8-alpha-59671'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-login.php b/wp-login.php index fb419ac445..c1b06bbc3b 100644 --- a/wp-login.php +++ b/wp-login.php @@ -528,14 +528,14 @@ if ( defined( 'RELOCATE' ) && RELOCATE ) { // Move flag is set. // Set a cookie now to see if they are supported by the browser. $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) ); -setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure ); +setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); if ( SITECOOKIEPATH !== COOKIEPATH ) { - setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure ); + setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure, true ); } if ( isset( $_GET['wp_lang'] ) ) { - setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure ); + setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true ); } /**