[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly

From: Alain Schneble
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sat, 22 Oct 2016 15:58:43 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (windows-nt)

Alain Schneble <address@hidden> writes:

> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
>    value.

Following the first approach above, I propose to apply this patch:

>From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <address@hidden>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)

* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
 lisp/url/url-cookie.el | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
   (let* ((args (url-parse-args str t))
         (case-fold-search t)
         (secure (and (assoc-string "secure" args t) t))
+         ;; HttpOnly attribute was introduced in RFC6265.  Treat it as
+         ;; a cookie name if it appears on the left hand side of a
+         ;; cookie name-value-pair (i.e. HttpCookie=<value>).  Only
+         ;; treat it as HttpOnly flag if it stands alone.
+         (httponly-attribute (assoc-string "httponly" args t))
+         (httponly (and httponly-attribute (not (cdr httponly-attribute))))
         (domain (or (cdr-safe (assoc-string "domain" args t))
                     (url-host url-current-object)))
         (current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
         (rest nil))
     (dolist (this args)
       (or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
-         (setq rest (cons this rest))))
+          ;; Accounts for the special case where HttpOnly is used as cookie 
+          (and (equal (downcase (car this)) "httponly") httponly)
+          (setq rest (cons this rest))))
     ;; Sometimes we get dates that the timezone package cannot handle very
     ;; gracefully - take care of this here, instead of in url-cookie-expired-p

Could you please consider committing it to the 25.1 branch?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]