[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
From: |
Alain Schneble |
Subject: |
bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly |
Date: |
Sat, 22 Oct 2016 15:58:43 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (windows-nt) |
Alain Schneble <a.s@realize.ch> writes:
> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
>
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
> value.
Following the first approach above, I propose to apply this patch:
>From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <a.s@realize.ch>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)
* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
---
lisp/url/url-cookie.el | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
(let* ((args (url-parse-args str t))
(case-fold-search t)
(secure (and (assoc-string "secure" args t) t))
+ ;; HttpOnly attribute was introduced in RFC6265. Treat it as
+ ;; a cookie name if it appears on the left hand side of a
+ ;; cookie name-value-pair (i.e. HttpCookie=<value>). Only
+ ;; treat it as HttpOnly flag if it stands alone.
+ (httponly-attribute (assoc-string "httponly" args t))
+ (httponly (and httponly-attribute (not (cdr httponly-attribute))))
(domain (or (cdr-safe (assoc-string "domain" args t))
(url-host url-current-object)))
(current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
(rest nil))
(dolist (this args)
(or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
- (setq rest (cons this rest))))
+ ;; Accounts for the special case where HttpOnly is used as cookie
name.
+ (and (equal (downcase (car this)) "httponly") httponly)
+ (setq rest (cons this rest))))
;; Sometimes we get dates that the timezone package cannot handle very
;; gracefully - take care of this here, instead of in url-cookie-expired-p
--
2.9.1
Could you please consider committing it to the 25.1 branch?
Thanks,
Alain