[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#490862: marked as done (HttpOnly support for APR::Request::Cookie)

Your message dated Tue, 13 Jun 2023 07:41:53 +0200
with message-id <49c6d6dc-38e7-3eeb-3027-a3ec8dfdad61@xs4all.nl>
and subject line Re: HttpOnly support for APR::Request::Cookie
has caused the Debian Bug report #490862,
regarding HttpOnly support for APR::Request::Cookie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
490862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490862
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libapache2-request-perl
Version: 2.08-4
Severity: wishlist

	As best I can tell libapreq2 has no direct way to add the
HttpOnly flag to the cookies it sets.  Although browser support for this
feature is not universal, it is a useful measure to limit the impact of
cross-site scripting attacks in supported browsers.
	http://msdn.microsoft.com/en-us/library/ms533046.aspx provides
some info on the syntax and support.

						Thanks,
						Robert Stone

diff -Naur libapreq2-2.08.old/glue/perl/lib/Apache2/Cookie.pm libapreq2-2.08/glue/perl/lib/Apache2/Cookie.pm
--- libapreq2-2.08.old/glue/perl/lib/Apache2/Cookie.pm	2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/lib/Apache2/Cookie.pm	2008-07-14 12:06:05.000000000 -0700
@@ -436,6 +436,20 @@
 
 
 
+=head2 httponly
+
+    $cookie->httponly()
+    $cookie->httponly($set)
+
+Get or set the HttpOnly flag for the cookie:
+
+    $cookie->httponly(1);
+    $is_HttpOnly = $cookie->httponly;
+    $cookie->httponly(0);
+
+
+
+
 =head2 comment
 
     $cookie->comment()
diff -Naur libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
--- libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod	2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod	2008-07-14 12:08:26.000000000 -0700
@@ -117,6 +117,8 @@
 
 =item -secure
 
+=item -httponly
+
 =item -version
 
 =item -path
@@ -235,6 +237,28 @@
 
 
 
+=head2 httponly
+
+    $cookie->httponly()
+    $cookie->httponly($set)
+
+
+Get/set the cookie's HttpOnly flag.
+
+=for example begin
+
+    $cookie->httponly(1);
+    ok $cookie->httponly == 1;
+
+=for example end
+
+=for example_testing
+    $cookie->httponly(0);
+    is $cookie->httponly, 0, "HttpOnly";
+
+
+
+
 =head2 version
 
     $cookie->version()
diff -Naur libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
--- libapreq2-2.08.old/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs	2006-08-08 21:26:45.000000000 -0700
+++ libapreq2-2.08/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs	2008-07-14 12:09:34.000000000 -0700
@@ -74,6 +74,23 @@
     RETVAL
 
 UV
+httponly(obj, val=NULL)
+    APR::Request::Cookie obj
+    SV *val
+
+  CODE:
+    RETVAL = apreq_cookie_is_httponly(obj);
+    if (items == 2) {
+        if (SvTRUE(val))
+            apreq_cookie_httponly_on(obj);
+        else
+            apreq_cookie_httponly_off(obj);
+    }
+
+  OUTPUT:
+    RETVAL
+
+UV
 version(obj, val=0)
     APR::Request::Cookie obj
     UV val
diff -Naur libapreq2-2.08.old/include/apreq_cookie.h libapreq2-2.08/include/apreq_cookie.h
--- libapreq2-2.08.old/include/apreq_cookie.h	2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/include/apreq_cookie.h	2008-07-14 11:44:17.000000000 -0700
@@ -106,6 +106,27 @@
     APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_SECURE);
 }
 
+/** @return 1 if the HttpOnly flag is set, 0 otherwise. */
+static APR_INLINE
+unsigned apreq_cookie_is_httponly(const apreq_cookie_t *c) {
+    return APREQ_FLAGS_GET(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Sets the cookie's HttpOnly flag, meaning it is not
+ *  accessible through client-side script in supported
+ *  browsers.
+ */
+static APR_INLINE
+void apreq_cookie_httponly_on(apreq_cookie_t *c) {
+    APREQ_FLAGS_ON(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Turns off the cookie's HttpOnly flag. */
+static APR_INLINE
+void apreq_cookie_httponly_off(apreq_cookie_t *c) {
+    APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
 
 /** @return 1 if the taint flag is set, 0 otherwise. */
 static APR_INLINE
diff -Naur libapreq2-2.08.old/include/apreq.h libapreq2-2.08/include/apreq.h
--- libapreq2-2.08.old/include/apreq.h	2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/include/apreq.h	2008-07-14 11:35:52.000000000 -0700
@@ -179,6 +179,19 @@
  */
 #define APREQ_COOKIE_SECURE_MASK    1
 
+/**
+ * Cookie's HttpOnly Bit 
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_BIT    14
+/**
+ * Cookie's HttpOnly Mask
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_MASK    1
+
 /** Character encodings. */
 typedef enum {
     APREQ_CHARSET_ASCII  =0,
diff -Naur libapreq2-2.08.old/library/cookie.c libapreq2-2.08/library/cookie.c
--- libapreq2-2.08.old/library/cookie.c	2006-08-08 21:26:44.000000000 -0700
+++ libapreq2-2.08/library/cookie.c	2008-07-14 12:36:45.000000000 -0700
@@ -118,6 +118,13 @@
             apreq_cookie_secure_off(c);
         return APR_SUCCESS;
 
+    case 'h': /* httponly */
+        if (vlen > 0 && *val != '0' && strncasecmp("off",val,vlen))
+            apreq_cookie_httponly_on(c);
+        else
+            apreq_cookie_httponly_off(c);
+        return APR_SUCCESS;
+
     };
 
     return APR_ENOTIMPL;
@@ -414,6 +421,11 @@
         if (apreq_cookie_is_secure(c))
             strcpy(f, "; secure");
 
+        f += strlen(f);
+
+        if (apreq_cookie_is_httponly(c))
+            strcpy(f, "; HttpOnly");
+
         return apr_snprintf(buf, len, format, c->v.name, c->v.data,
            NULL2EMPTY(c->path), NULL2EMPTY(c->domain), expires);
     }
@@ -448,6 +460,11 @@
     if (apreq_cookie_is_secure(c))
         strcpy(f, "; secure");
 
+    f += strlen(f);
+
+    if (apreq_cookie_is_httponly(c))
+        strcpy(f, "; HttpOnly");
+
     return apr_snprintf(buf, len, format, c->v.name, c->v.data, version,
                         NULL2EMPTY(c->path), NULL2EMPTY(c->domain),
                         NULL2EMPTY(c->port), NULL2EMPTY(c->comment),

--- End Message ---
--- Begin Message --- 
Version: 2.13-1

The httponly option is now available:

METHODS
    APR::Request::Cookie

  new
        APR::Request::Cookie->new($pool,
                                   name => $name,
                                  value => $value,
                                  %args)

    Creates a new cookie. Here $pool is an APR::Pool object, and $name is
the cookie's name. The $value is transformed into the cookie's raw value 
    through the class' "freeze()" method. The remaining arguments are
    optional:

    -secure
    -httponly
    -version
    -path
    -domain
    -port
    -expires
    -comment
    -commentURL

    For details on these arguments, please consult the corresponding
    method's documentation.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

--- End Message ---
Reply to: