From: Alain Schneble <a.s@realize.ch>
To: <24757@debbugs.gnu.org>
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sat, 22 Oct 2016 15:58:43 +0200 [thread overview]
Message-ID: <86y41g4h9o.fsf@realize.ch> (raw)
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21 Oct 2016 18:35:11 +0200")
[-- Attachment #1: Type: text/plain, Size: 313 bytes --]
Alain Schneble <a.s@realize.ch> writes:
> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
>
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
> value.
Following the first approach above, I propose to apply this patch:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Eliminate-phantom-HttpOnly-cookie-Bug-24757 --]
[-- Type: text/x-patch, Size: 1893 bytes --]
From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <a.s@realize.ch>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)
* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
---
lisp/url/url-cookie.el | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
(let* ((args (url-parse-args str t))
(case-fold-search t)
(secure (and (assoc-string "secure" args t) t))
+ ;; HttpOnly attribute was introduced in RFC6265. Treat it as
+ ;; a cookie name if it appears on the left hand side of a
+ ;; cookie name-value-pair (i.e. HttpCookie=<value>). Only
+ ;; treat it as HttpOnly flag if it stands alone.
+ (httponly-attribute (assoc-string "httponly" args t))
+ (httponly (and httponly-attribute (not (cdr httponly-attribute))))
(domain (or (cdr-safe (assoc-string "domain" args t))
(url-host url-current-object)))
(current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
(rest nil))
(dolist (this args)
(or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
- (setq rest (cons this rest))))
+ ;; Accounts for the special case where HttpOnly is used as cookie name.
+ (and (equal (downcase (car this)) "httponly") httponly)
+ (setq rest (cons this rest))))
;; Sometimes we get dates that the timezone package cannot handle very
;; gracefully - take care of this here, instead of in url-cookie-expired-p
--
2.9.1
[-- Attachment #3: Type: text/plain, Size: 76 bytes --]
Could you please consider committing it to the 25.1 branch?
Thanks,
Alain
next prev parent reply other threads:[~2016-10-22 13:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-21 16:35 bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Alain Schneble
2016-10-22 13:58 ` Alain Schneble [this message]
2017-12-06 11:46 ` Noam Postavsky
2017-12-06 22:47 ` Katsumi Yamaoka
2018-04-15 19:47 ` Lars Ingebrigtsen
2018-07-31 2:08 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86y41g4h9o.fsf@realize.ch \
--to=a.s@realize.ch \
--cc=24757@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).