--- Begin Message ---
Package: libapache2-request-perl
Version: 2.08-4
Severity: wishlist
As best I can tell libapreq2 has no direct way to add the
HttpOnly flag to the cookies it sets. Although browser support for this
feature is not universal, it is a useful measure to limit the impact of
cross-site scripting attacks in supported browsers.
http://msdn.microsoft.com/en-us/library/ms533046.aspx provides
some info on the syntax and support.
Thanks,
Robert Stone
diff -Naur libapreq2-2.08.old/glue/perl/lib/Apache2/Cookie.pm libapreq2-2.08/glue/perl/lib/Apache2/Cookie.pm
--- libapreq2-2.08.old/glue/perl/lib/Apache2/Cookie.pm 2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/lib/Apache2/Cookie.pm 2008-07-14 12:06:05.000000000 -0700
@@ -436,6 +436,20 @@
+=head2 httponly
+
+ $cookie->httponly()
+ $cookie->httponly($set)
+
+Get or set the HttpOnly flag for the cookie:
+
+ $cookie->httponly(1);
+ $is_HttpOnly = $cookie->httponly;
+ $cookie->httponly(0);
+
+
+
+
=head2 comment
$cookie->comment()
diff -Naur libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
--- libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod 2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod 2008-07-14 12:08:26.000000000 -0700
@@ -117,6 +117,8 @@
=item -secure
+=item -httponly
+
=item -version
=item -path
@@ -235,6 +237,28 @@
+=head2 httponly
+
+ $cookie->httponly()
+ $cookie->httponly($set)
+
+
+Get/set the cookie's HttpOnly flag.
+
+=for example begin
+
+ $cookie->httponly(1);
+ ok $cookie->httponly == 1;
+
+=for example end
+
+=for example_testing
+ $cookie->httponly(0);
+ is $cookie->httponly, 0, "HttpOnly";
+
+
+
+
=head2 version
$cookie->version()
diff -Naur libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
--- libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs 2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs 2008-07-14 12:09:34.000000000 -0700
@@ -74,6 +74,23 @@
RETVAL
UV
+httponly(obj, val=NULL)
+ APR::Request::Cookie obj
+ SV *val
+
+ CODE:
+ RETVAL = apreq_cookie_is_httponly(obj);
+ if (items == 2) {
+ if (SvTRUE(val))
+ apreq_cookie_httponly_on(obj);
+ else
+ apreq_cookie_httponly_off(obj);
+ }
+
+ OUTPUT:
+ RETVAL
+
+UV
version(obj, val=0)
APR::Request::Cookie obj
UV val
diff -Naur libapreq2-2.08.old/include/apreq_cookie.h libapreq2-2.08/include/apreq_cookie.h
--- libapreq2-2.08.old/include/apreq_cookie.h 2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/include/apreq_cookie.h 2008-07-14 11:44:17.000000000 -0700
@@ -106,6 +106,27 @@
APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_SECURE);
}
+/** @return 1 if the HttpOnly flag is set, 0 otherwise. */
+static APR_INLINE
+unsigned apreq_cookie_is_httponly(const apreq_cookie_t *c) {
+ return APREQ_FLAGS_GET(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Sets the cookie's HttpOnly flag, meaning it is not
+ * accessible through client-side script in supported
+ * browsers.
+ */
+static APR_INLINE
+void apreq_cookie_httponly_on(apreq_cookie_t *c) {
+ APREQ_FLAGS_ON(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Turns off the cookie's HttpOnly flag. */
+static APR_INLINE
+void apreq_cookie_httponly_off(apreq_cookie_t *c) {
+ APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
/** @return 1 if the taint flag is set, 0 otherwise. */
static APR_INLINE
diff -Naur libapreq2-2.08.old/include/apreq.h libapreq2-2.08/include/apreq.h
--- libapreq2-2.08.old/include/apreq.h 2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/include/apreq.h 2008-07-14 11:35:52.000000000 -0700
@@ -179,6 +179,19 @@
*/
#define APREQ_COOKIE_SECURE_MASK 1
+/**
+ * Cookie's HttpOnly Bit
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_BIT 14
+/**
+ * Cookie's HttpOnly Mask
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_MASK 1
+
/** Character encodings. */
typedef enum {
APREQ_CHARSET_ASCII =0,
diff -Naur libapreq2-2.08.old/library/cookie.c libapreq2-2.08/library/cookie.c
--- libapreq2-2.08.old/library/cookie.c 2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/library/cookie.c 2008-07-14 12:36:45.000000000 -0700
@@ -118,6 +118,13 @@
apreq_cookie_secure_off(c);
return APR_SUCCESS;
+ case 'h': /* httponly */
+ if (vlen > 0 && *val != '0' && strncasecmp("off",val,vlen))
+ apreq_cookie_httponly_on(c);
+ else
+ apreq_cookie_httponly_off(c);
+ return APR_SUCCESS;
+
};
return APR_ENOTIMPL;
@@ -414,6 +421,11 @@
if (apreq_cookie_is_secure(c))
strcpy(f, "; secure");
+ f += strlen(f);
+
+ if (apreq_cookie_is_httponly(c))
+ strcpy(f, "; HttpOnly");
+
return apr_snprintf(buf, len, format, c->v.name, c->v.data,
NULL2EMPTY(c->path), NULL2EMPTY(c->domain), expires);
}
@@ -448,6 +460,11 @@
if (apreq_cookie_is_secure(c))
strcpy(f, "; secure");
+ f += strlen(f);
+
+ if (apreq_cookie_is_httponly(c))
+ strcpy(f, "; HttpOnly");
+
return apr_snprintf(buf, len, format, c->v.name, c->v.data, version,
NULL2EMPTY(c->path), NULL2EMPTY(c->domain),
NULL2EMPTY(c->port), NULL2EMPTY(c->comment),
--- End Message ---
--- Begin Message ---
- To: 490862-done@bugs.debian.org
- Subject: Re: HttpOnly support for APR::Request::Cookie
- From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Date: Tue, 13 Jun 2023 07:41:53 +0200
- Message-id: <49c6d6dc-38e7-3eeb-3027-a3ec8dfdad61@xs4all.nl>
- In-reply-to: <20080714201144.GA6337@trap.mtview.ca.us>
- References: <20080714201144.GA6337@trap.mtview.ca.us> <20080714201144.GA6337@trap.mtview.ca.us>
Version: 2.13-1
The httponly option is now available:
METHODS
APR::Request::Cookie
new
APR::Request::Cookie->new($pool,
name => $name,
value => $value,
%args)
Creates a new cookie. Here $pool is an APR::Pool object, and $name is
the cookie's name. The $value is transformed into the cookie's raw
value
through the class' "freeze()" method. The remaining arguments are
optional:
-secure
-httponly
-version
-path
-domain
-port
-expires
-comment
-commentURL
For details on these arguments, please consult the corresponding
method's documentation.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--- End Message ---