eukara
/
WebSurf
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert "Treat cookies from HTTP and HTTPS as identical." 

Sadly, this breaks path cookies on HTTPS sites. The correct
fix is to implement RFC6265 in full (probably replacing
urldb with something less complex, too).

This reverts commit 924f8844d4.
This commit is contained in:
John-Mark Bell 2013-01-04 22:01:15 +00:00
parent 07024b05c4
commit d0d3d31e97
3 changed files with 20 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
content/urldb.c
View File

@ -2410,9 +2410,9 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
const char *path;
char *ret;
lwc_string *scheme;
bool target_is_secure;
time_t now;
int i;
bool match;
assert(url != NULL);
@ -2425,15 +2425,7 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
if (!p)
return NULL;
scheme = nsurl_get_component(url, NSURL_SCHEME);
if (scheme == NULL)
scheme = lwc_string_ref(corestring_lwc_http);
if (lwc_string_caseless_isequal(scheme, corestring_lwc_https,
&target_is_secure) != lwc_error_ok)
return NULL;
lwc_string_unref(scheme);
scheme = p->scheme;
matched_cookies = malloc(matched_cookies_size *
sizeof(struct cookie_internal_data *));
@ -2492,7 +2484,11 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
/* cookie has expired => ignore */
continue;
if (c->secure && target_is_secure == false)
if (c->secure && lwc_string_isequal(
q->scheme,
corestring_lwc_https,
&match) &&
match == false)
/* secure cookie for insecure host.
* ignore */
continue;
@ -2527,7 +2523,11 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
/* cookie has expired => ignore */
continue;
if (c->secure && target_is_secure == false)
if (c->secure && lwc_string_isequal(
q->scheme,
corestring_lwc_https,
&match) &&
match == false)
/* Secure cookie for insecure server
* => ignore */
continue;
@ -2567,7 +2567,10 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
/* paths don't match => ignore */
continue;
if (c->secure && target_is_secure == false)
if (c->secure && lwc_string_isequal(p->scheme,
corestring_lwc_https,
&match) &&
match == false)
/* Secure cookie for insecure server
* => ignore */
continue;
@ -2598,7 +2601,10 @@ char *urldb_get_cookie(nsurl *url, bool include_http_only)
/* paths don't match => ignore */
continue;
if (c->secure && target_is_secure == false)
if (c->secure && lwc_string_isequal(scheme,
corestring_lwc_https,
&match) &&
match == false)
/* secure cookie for insecure host. ignore */
continue;
@ -2692,19 +2698,6 @@ bool urldb_set_cookie(const char *header, nsurl *url, nsurl *referer)
return false;
}
/* If HTTPS, store cookie using HTTP */
if (lwc_string_caseless_isequal(scheme, corestring_lwc_https,
&match) != lwc_error_ok) {
lwc_string_unref(scheme);
nsurl_unref(urlt);
return false;
}
if (match) {
lwc_string_unref(scheme);
scheme = lwc_string_ref(corestring_lwc_http);
}
path = nsurl_get_component(url, NSURL_PATH);
if (path == NULL) {
lwc_string_unref(scheme);

3
utils/corestrings.c
View File

@ -58,7 +58,6 @@ lwc_string *corestring_lwc_head;
lwc_string *corestring_lwc_hidden;
lwc_string *corestring_lwc_hr;
lwc_string *corestring_lwc_html;
lwc_string *corestring_lwc_http;
lwc_string *corestring_lwc_https;
lwc_string *corestring_lwc_iframe;
lwc_string *corestring_lwc_image;
@ -273,7 +272,6 @@ void corestrings_fini(void)
CSS_LWC_STRING_UNREF(hidden);
CSS_LWC_STRING_UNREF(hr);
CSS_LWC_STRING_UNREF(html);
CSS_LWC_STRING_UNREF(http);
CSS_LWC_STRING_UNREF(https);
CSS_LWC_STRING_UNREF(iframe);
CSS_LWC_STRING_UNREF(image);
@ -508,7 +506,6 @@ nserror corestrings_init(void)
CSS_LWC_STRING_INTERN(hidden);
CSS_LWC_STRING_INTERN(hr);
CSS_LWC_STRING_INTERN(html);
CSS_LWC_STRING_INTERN(http);
CSS_LWC_STRING_INTERN(https);
CSS_LWC_STRING_INTERN(iframe);
CSS_LWC_STRING_INTERN(image);

1
utils/corestrings.h
View File

@ -62,7 +62,6 @@ extern lwc_string *corestring_lwc_head;
extern lwc_string *corestring_lwc_hidden;
extern lwc_string *corestring_lwc_hr;
extern lwc_string *corestring_lwc_html;
extern lwc_string *corestring_lwc_http;
extern lwc_string *corestring_lwc_https;
extern lwc_string *corestring_lwc_iframe;
extern lwc_string *corestring_lwc_image;