From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Alain Schneble <a.s@realize.ch>
Newsgroups: gmane.emacs.bugs
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sat, 22 Oct 2016 15:58:43 +0200
Message-ID: <86y41g4h9o.fsf@realize.ch>
References: <8637jp64ow.fsf@realize.ch>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: blaine.gmane.org 1477144823 969 195.159.176.226 (22 Oct 2016 14:00:23 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sat, 22 Oct 2016 14:00:23 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (windows-nt)
To: <24757@debbugs.gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Oct 22 16:00:19 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bxwqH-00079n-P7
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 22 Oct 2016 16:00:09 +0200
Original-Received: from localhost ([::1]:37371 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bxwqK-00065A-5b
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 22 Oct 2016 10:00:12 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50351)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bxwqE-00063b-9u
	for bug-gnu-emacs@gnu.org; Sat, 22 Oct 2016 10:00:07 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bxwqB-00055d-7S
	for bug-gnu-emacs@gnu.org; Sat, 22 Oct 2016 10:00:06 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:59265)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1bxwqB-00055X-4F
	for bug-gnu-emacs@gnu.org; Sat, 22 Oct 2016 10:00:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bxwqA-00058Q-RR
	for bug-gnu-emacs@gnu.org; Sat, 22 Oct 2016 10:00:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Alain Schneble <a.s@realize.ch>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 22 Oct 2016 14:00:02 +0000
Resent-Message-ID: <handler.24757.B24757.147714476919656@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 24757
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 24757-submit@debbugs.gnu.org id=B24757.147714476919656
	(code B ref 24757); Sat, 22 Oct 2016 14:00:02 +0000
Original-Received: (at 24757) by debbugs.gnu.org; 22 Oct 2016 13:59:29 +0000
Original-Received: from localhost ([127.0.0.1]:46431 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bxwpd-00056y-2m
	for submit@debbugs.gnu.org; Sat, 22 Oct 2016 09:59:29 -0400
Original-Received: from clientmail.realize.ch ([46.140.89.53]:3414)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <alain.schneble@realize.ch>) id 1bxwpa-00056f-Nm
	for 24757@debbugs.gnu.org; Sat, 22 Oct 2016 09:59:27 -0400
Original-Received: from rintintin.hq.realize.ch.lan.rit (Unknown [192.168.0.105])
	by clientmail.realize.ch with ESMTP ; Sat, 22 Oct 2016 15:59:15 +0200
Original-Received: from myngb (192.168.66.64) by rintintin.hq.realize.ch.lan.rit
	(192.168.0.105) with Microsoft SMTP Server (TLS) id 15.0.516.32;
	Sat, 22 Oct 2016 15:58:53 +0200
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21
	Oct 2016 18:35:11 +0200")
X-ClientProxiedBy: rintintin.hq.realize.ch.lan.rit (192.168.0.105) To
	rintintin.hq.realize.ch.lan.rit (192.168.0.105)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:124825
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/124825>

--=-=-=
Content-Type: text/plain

Alain Schneble <a.s@realize.ch> writes:

> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
>
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
>    value.

Following the first approach above, I propose to apply this patch:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
	filename="0001-Eliminate-phantom-HttpOnly-cookie-Bug-24757-2.patch"
Content-Description: Eliminate-phantom-HttpOnly-cookie-Bug-24757

>From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <a.s@realize.ch>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)

* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
---
 lisp/url/url-cookie.el | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
   (let* ((args (url-parse-args str t))
 	 (case-fold-search t)
 	 (secure (and (assoc-string "secure" args t) t))
+         ;; HttpOnly attribute was introduced in RFC6265.  Treat it as
+         ;; a cookie name if it appears on the left hand side of a
+         ;; cookie name-value-pair (i.e. HttpCookie=<value>).  Only
+         ;; treat it as HttpOnly flag if it stands alone.
+         (httponly-attribute (assoc-string "httponly" args t))
+         (httponly (and httponly-attribute (not (cdr httponly-attribute))))
 	 (domain (or (cdr-safe (assoc-string "domain" args t))
 		     (url-host url-current-object)))
 	 (current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
 	 (rest nil))
     (dolist (this args)
       (or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
-	  (setq rest (cons this rest))))
+          ;; Accounts for the special case where HttpOnly is used as cookie name.
+          (and (equal (downcase (car this)) "httponly") httponly)
+          (setq rest (cons this rest))))
 
     ;; Sometimes we get dates that the timezone package cannot handle very
     ;; gracefully - take care of this here, instead of in url-cookie-expired-p
-- 
2.9.1


--=-=-=
Content-Type: text/plain


Could you please consider committing it to the 25.1 branch?

Thanks,
Alain

--=-=-=--