GNU bug report logs - #24757
25.1.50; url-cookie.el creates phantom cookie for HttpOnly

Previous Next

Package: emacs;

Reported by: Alain Schneble <a.s <at> realize.ch>

Date: Fri, 21 Oct 2016 16:37:02 UTC

Severity: normal

Tags: patch

Merged with 29282

Found in versions 25.1.50, 26.0.90

Fixed in version 26.1

Done: Katsumi Yamaoka <yamaoka <at> jpl.org>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 24757 <at> debbugs.gnu.org (full text, mbox):

From: Alain Schneble <a.s <at> realize.ch>
To: <24757 <at> debbugs.gnu.org>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
Date: Sat, 22 Oct 2016 15:58:43 +0200

[Message part 1 (text/plain, inline)]
Alain Schneble <a.s <at> realize.ch> writes:

> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
>
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
>    value.

Following the first approach above, I propose to apply this patch:


[0001-Eliminate-phantom-HttpOnly-cookie-Bug-24757-2.patch (text/x-patch, inline)]
From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <a.s <at> realize.ch>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)

* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
---
 lisp/url/url-cookie.el | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
   (let* ((args (url-parse-args str t))
 	 (case-fold-search t)
 	 (secure (and (assoc-string "secure" args t) t))
+         ;; HttpOnly attribute was introduced in RFC6265.  Treat it as
+         ;; a cookie name if it appears on the left hand side of a
+         ;; cookie name-value-pair (i.e. HttpCookie=<value>).  Only
+         ;; treat it as HttpOnly flag if it stands alone.
+         (httponly-attribute (assoc-string "httponly" args t))
+         (httponly (and httponly-attribute (not (cdr httponly-attribute))))
 	 (domain (or (cdr-safe (assoc-string "domain" args t))
 		     (url-host url-current-object)))
 	 (current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
 	 (rest nil))
     (dolist (this args)
       (or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
-	  (setq rest (cons this rest))))
+          ;; Accounts for the special case where HttpOnly is used as cookie name.
+          (and (equal (downcase (car this)) "httponly") httponly)
+          (setq rest (cons this rest))))
 
     ;; Sometimes we get dates that the timezone package cannot handle very
     ;; gracefully - take care of this here, instead of in url-cookie-expired-p
-- 
2.9.1


[Message part 3 (text/plain, inline)]
Could you please consider committing it to the 25.1 branch?

Thanks,
Alain
This bug report was last modified 6 years and 299 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.