Projet

Général

Profil

0001-misc-add-httponly-secure-flags-on-session-cookie-112.patch

Frédéric Péters, 11 juin 2016 13:31

Télécharger (2,83 ko)

Voir les différences: 

Subject: [PATCH] misc: add httponly/secure flags on session cookie (#11275)


 tests/test_form_pages.py | 16 ++++++++++++++++
 tests/utilities.py       |  8 +++++---
 wcs/qommon/publisher.py  |  3 +++
 3 files changed, 24 insertions(+), 3 deletions(-)
tests/test_form_pages.py
2755 2755 
    assert 'message-to-submitter' in page.body
2756 2756 
    assert 'message-to-nobody' not in page.body
2757 2757 
    assert 'message-to-xxx-and-submitter' in page.body
2758 

  		




  
  2759
  
    
def test_session_cookie_flags(pub):

  		




  
  2760
  
    
    formdef = create_formdef()

  		




  
  2761
  
    
    app = get_app(pub)

  		




  
  2762
  
    
    resp = app.get('/test/', status=200)

  		




  
  2763
  
    
    resp = resp.form.submit('submit')

  		




  
  2764
  
    
    assert resp.headers['Set-Cookie'].startswith('wcs-')

  		




  
  2765
  
    
    assert 'httponly' in resp.headers['Set-Cookie']

  		




  
  2766
  
    
    assert not 'secure' in resp.headers['Set-Cookie']

  		




  
  2767
  
    

  		




  
  2768
  
    
    app = get_app(pub, https=True)

  		




  
  2769
  
    
    resp = app.get('/test/', status=200)

  		




  
  2770
  
    
    resp = resp.form.submit('submit')

  		




  
  2771
  
    
    assert resp.headers['Set-Cookie'].startswith('wcs-')

  		




  
  2772
  
    
    assert 'httponly' in resp.headers['Set-Cookie']

  		




  
  2773
  
    
    assert 'secure' in resp.headers['Set-Cookie']

  		












  

    
      tests/utilities.py
    
  





  148
  148
  
    
            pass

  		




  149
  149
  
    
        known_elements.sql_db_name = None

  		




  150
  150
  
    

  		




  151
  
  
    
def get_app(pub):

  		




  152
  
  
    
    return TestApp(QWIP(pub), extra_environ={

  		




  153
  
  
    
        'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'})

  		




  
  151
  
    
def get_app(pub, https=False):

  		




  
  152
  
    
    extra_environ = {'HTTP_HOST': 'example.net', 'REMOTE_ADDR': '127.0.0.1'}

  		




  
  153
  
    
    if https:

  		




  
  154
  
    
        extra_environ['HTTPS'] = 'on'

  		




  
  155
  
    
    return TestApp(QWIP(pub), extra_environ=extra_environ)

  		




  154
  156
  
    

  		




  155
  157
  
    
def login(app, username='admin', password='admin'):

  		




  156
  158
  
    
    login_page = app.get('/login/')

  		












  

    
      wcs/qommon/publisher.py
    
  





  436
  436
  
    
        self.logger.error_email = debug_cfg.get('error_email')

  		




  437
  437
  
    
        self.config.display_exceptions = debug_cfg.get('display_exceptions')

  		




  438
  438
  
    
        self.config.form_tokens = True

  		




  
  439
  
    
        self.config.session_cookie_httponly = True

  		




  439
  440
  
    

  		




  440
  441
  
    
        if request:

  		




  
  442
  
    
            if request.get_scheme() == 'https':

  		




  
  443
  
    
                self.config.session_cookie_secure = True

  		




  441
  444
  
    
            canonical_hostname = request.get_server(clean = False).lower().split(':')[0].rstrip('.')

  		




  442
  445
  
    
            if canonical_hostname.count('.') >= 2 and self.etld:

  		




  443
  446
  
    
                try:

  		




  444
  
  
    
-