httpd-apreq-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From is...@apache.org
Subject svn commit: r1035390 - in /httpd/apreq/trunk: ./ glue/perl/lib/Apache2/ glue/perl/xsbuilder/APR/Request/Cookie/ include/ library/ module/t/ module/t/c-modules/apreq_cookie_test/
Date Mon, 15 Nov 2010 18:34:20 GMT
Author: issac
Date: Mon Nov 15 18:34:20 2010
New Revision: 1035390

URL: http://svn.apache.org/viewvc?rev=1035390&view=rev
Log:
HttpOnly cookie support

Modified:
    httpd/apreq/trunk/CHANGES
    httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm
    httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
    httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
    httpd/apreq/trunk/include/apreq.h
    httpd/apreq/trunk/include/apreq_cookie.h
    httpd/apreq/trunk/library/cookie.c
    httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
    httpd/apreq/trunk/module/t/cookie.t

Modified: httpd/apreq/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/CHANGES?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/CHANGES (original)
+++ httpd/apreq/trunk/CHANGES Mon Nov 15 18:34:20 2010
@@ -3,6 +3,10 @@
 
 @section v2_13 Changes with libapreq2-2.13 (in development)
 
+- HTTP Only Cookie [Robert Stone & Adam Prime]
+  The C and Perl Cookie APIs now support an HttpOnly flag to tell 
+  user agents to deny client-side script access to the cookie
+
 @section v2_12 Changes with libapreq2-2.12 (released March 13, 2009)
 
 - C API [joes]

Modified: httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm (original)
+++ httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm Mon Nov 15 18:34:20 2010
@@ -436,6 +436,20 @@ Get or set the secure flag for the cooki
 
 
 
+=head2 httponly
+
+    $cookie->httponly()
+    $cookie->httponly($set)
+
+Get or set the HttpOnly flag for the cookie:
+
+    $cookie->httponly(1);
+    $is_HttpOnly = $cookie->httponly;
+    $cookie->httponly(0);
+
+
+
+
 =head2 comment
 
     $cookie->comment()

Modified: httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod (original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod Mon Nov 15 18:34:20
2010
@@ -117,6 +117,8 @@ The remaining arguments are optional:
 
 =item -secure
 
+=item -httponly
+
 =item -version
 
 =item -path
@@ -235,6 +237,28 @@ Get/set the cookie's secure flag.
 
 
 
+=head2 httponly
+
+    $cookie->httponly()
+    $cookie->httponly($set)
+
+
+Get/set the cookie's HttpOnly flag.
+
+=for example begin
+
+    $cookie->httponly(1);
+    ok $cookie->httponly == 1;
+
+=for example end
+
+=for example_testing
+    $cookie->httponly(0);
+    is $cookie->httponly, 0, "HttpOnly";
+
+
+
+
 =head2 version
 
     $cookie->version()

Modified: httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs (original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs Mon Nov 15 18:34:20
2010
@@ -74,6 +74,23 @@ secure(obj, val=NULL)
     RETVAL
 
 UV
+httponly(obj, val=NULL)
+    APR::Request::Cookie obj
+    SV *val
+
+  CODE:
+    RETVAL = apreq_cookie_is_httponly(obj);
+    if (items == 2) {
+        if (SvTRUE(val))
+            apreq_cookie_httponly_on(obj);
+        else
+            apreq_cookie_httponly_off(obj);
+    }
+
+  OUTPUT:
+    RETVAL
+
+UV
 version(obj, val=0)
     APR::Request::Cookie obj
     UV val

Modified: httpd/apreq/trunk/include/apreq.h
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/include/apreq.h?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/include/apreq.h (original)
+++ httpd/apreq/trunk/include/apreq.h Mon Nov 15 18:34:20 2010
@@ -188,6 +188,19 @@
  */
 #define APREQ_COOKIE_SECURE_MASK    1
 
+/**
+ * Cookie's HttpOnly Bit 
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_BIT    14
+/**
+ * Cookie's HttpOnly Mask
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_MASK    1
+
 /** Character encodings. */
 typedef enum {
     APREQ_CHARSET_ASCII  =0,

Modified: httpd/apreq/trunk/include/apreq_cookie.h
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/include/apreq_cookie.h?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/include/apreq_cookie.h (original)
+++ httpd/apreq/trunk/include/apreq_cookie.h Mon Nov 15 18:34:20 2010
@@ -107,6 +107,27 @@ void apreq_cookie_secure_off(apreq_cooki
     APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_SECURE);
 }
 
+/** @return 1 if the HttpOnly flag is set, 0 otherwise. */
+static APR_INLINE
+unsigned apreq_cookie_is_httponly(const apreq_cookie_t *c) {
+    return APREQ_FLAGS_GET(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Sets the cookie's HttpOnly flag, meaning it is not
+ *  accessible through client-side script in supported
+ *  browsers.
+ */
+static APR_INLINE
+void apreq_cookie_httponly_on(apreq_cookie_t *c) {
+    APREQ_FLAGS_ON(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Turns off the cookie's HttpOnly flag. */
+static APR_INLINE
+void apreq_cookie_httponly_off(apreq_cookie_t *c) {
+    APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
 
 /** @return 1 if the taint flag is set, 0 otherwise. */
 static APR_INLINE

Modified: httpd/apreq/trunk/library/cookie.c
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/cookie.c?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/library/cookie.c (original)
+++ httpd/apreq/trunk/library/cookie.c Mon Nov 15 18:34:20 2010
@@ -119,6 +119,13 @@ static apr_status_t apreq_cookie_attr(ap
             apreq_cookie_secure_off(c);
         return APR_SUCCESS;
 
+    case 'h': /* httponly */
+        if (vlen > 0 && *val != '0' && strncasecmp("off",val,vlen))
+            apreq_cookie_httponly_on(c);
+        else
+            apreq_cookie_httponly_off(c);
+        return APR_SUCCESS;
+
     };
 
     return APR_ENOTIMPL;
@@ -468,6 +475,11 @@ APREQ_DECLARE(int) apreq_cookie_serializ
         if (apreq_cookie_is_secure(c))
             strcpy(f, "; secure");
 
+        f += strlen(f);
+
+        if (apreq_cookie_is_httponly(c))
+            strcpy(f, "; HttpOnly");
+
         return apr_snprintf(buf, len, format, c->v.name, c->v.data,
            NULL2EMPTY(c->path), NULL2EMPTY(c->domain), expires);
     }
@@ -502,6 +514,11 @@ APREQ_DECLARE(int) apreq_cookie_serializ
     if (apreq_cookie_is_secure(c))
         strcpy(f, "; secure");
 
+    f += strlen(f);
+
+    if (apreq_cookie_is_httponly(c))
+        strcpy(f, "; HttpOnly");
+
     return apr_snprintf(buf, len, format, c->v.name, c->v.data, version,
                         NULL2EMPTY(c->path), NULL2EMPTY(c->domain),
                         NULL2EMPTY(c->port), NULL2EMPTY(c->comment),

Modified: httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c (original)
+++ httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c Mon Nov
15 18:34:20 2010
@@ -80,6 +80,11 @@ static int apreq_cookie_test_handler(req
         apr_table_add(r->headers_out, "Set-Cookie2",
                       apreq_cookie_as_string(cookie, r->pool));
     }
+    else if (strcmp(test, "httponly") == 0) {
+        apreq_cookie_httponly_on(cookie);
+        apr_table_add(r->headers_out, "Set-Cookie",
+                      apreq_cookie_as_string(cookie, r->pool));
+    }
     else {
         size = strlen(cookie->v.data);
         dest = apr_palloc(r->pool, size + 1);

Modified: httpd/apreq/trunk/module/t/cookie.t
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/module/t/cookie.t?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/module/t/cookie.t (original)
+++ httpd/apreq/trunk/module/t/cookie.t Mon Nov 15 18:34:20 2010
@@ -6,7 +6,7 @@ use Apache::Test;
 use Apache::TestUtil;
 use Apache::TestRequest qw(GET_BODY GET_HEAD);
 
-plan tests => 5, need_lwp;
+plan tests => 6, need_lwp;
 
 require HTTP::Cookies;
 
@@ -47,7 +47,6 @@ my $location = "/apreq_cookie_test";
     my $cookie = "$key=$value";
     my ($header) = GET_HEAD("$location?test=$test&key=$key",
                             Cookie => $cookie) =~ /^#Set-Cookie:\s+(.+)/m;
-
     ok t_cmp($header, $cookie, $test);
 }
 {
@@ -59,3 +58,12 @@ my $location = "/apreq_cookie_test";
                             Cookie => $cookie) =~ /^#Set-Cookie2:\s+(.+)/m;
     ok t_cmp($header, qq{$key="$value"; Version=1; path="$location"}, $test);
 }
+{
+    my $test  = 'httponly';
+    my $key   = 'apache';
+    my $value = 'ok';
+    my $cookie = "$key=$value; HttpOnly";
+    my ($header) = GET_HEAD("$location?test=$test&key=$key",
+                            Cookie => $cookie) =~ /^#Set-Cookie:\s+(.+)/m;
+    ok t_cmp($header, $cookie, $test);
+}



Mime
View raw message