Author: issac
Date: Mon Nov 15 18:34:20 2010
New Revision: 1035390
URL: http://svn.apache.org/viewvc?rev=1035390&view=rev
Log:
HttpOnly cookie support
Modified:
httpd/apreq/trunk/CHANGES
httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm
httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
httpd/apreq/trunk/include/apreq.h
httpd/apreq/trunk/include/apreq_cookie.h
httpd/apreq/trunk/library/cookie.c
httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
httpd/apreq/trunk/module/t/cookie.t
Modified: httpd/apreq/trunk/CHANGES
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/CHANGES?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/CHANGES (original)
+++ httpd/apreq/trunk/CHANGES Mon Nov 15 18:34:20 2010
@@ -3,6 +3,10 @@
@section v2_13 Changes with libapreq2-2.13 (in development)
+- HTTP Only Cookie [Robert Stone & Adam Prime]
+ The C and Perl Cookie APIs now support an HttpOnly flag to tell
+ user agents to deny client-side script access to the cookie
+
@section v2_12 Changes with libapreq2-2.12 (released March 13, 2009)
- C API [joes]
Modified: httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm (original)
+++ httpd/apreq/trunk/glue/perl/lib/Apache2/Cookie.pm Mon Nov 15 18:34:20 2010
@@ -436,6 +436,20 @@ Get or set the secure flag for the cooki
+=head2 httponly
+
+ $cookie->httponly()
+ $cookie->httponly($set)
+
+Get or set the HttpOnly flag for the cookie:
+
+ $cookie->httponly(1);
+ $is_HttpOnly = $cookie->httponly;
+ $cookie->httponly(0);
+
+
+
+
=head2 comment
$cookie->comment()
Modified: httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod
(original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.pod Mon Nov
15 18:34:20 2010
@@ -117,6 +117,8 @@ The remaining arguments are optional:
=item -secure
+=item -httponly
+
=item -version
=item -path
@@ -235,6 +237,28 @@ Get/set the cookie's secure flag.
+=head2 httponly
+
+ $cookie->httponly()
+ $cookie->httponly($set)
+
+
+Get/set the cookie's HttpOnly flag.
+
+=for example begin
+
+ $cookie->httponly(1);
+ ok $cookie->httponly == 1;
+
+=for example end
+
+=for example_testing
+ $cookie->httponly(0);
+ is $cookie->httponly, 0, "HttpOnly";
+
+
+
+
=head2 version
$cookie->version()
Modified: httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs
(original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/APR/Request/Cookie/Cookie.xs Mon Nov
15 18:34:20 2010
@@ -74,6 +74,23 @@ secure(obj, val=NULL)
RETVAL
UV
+httponly(obj, val=NULL)
+ APR::Request::Cookie obj
+ SV *val
+
+ CODE:
+ RETVAL = apreq_cookie_is_httponly(obj);
+ if (items == 2) {
+ if (SvTRUE(val))
+ apreq_cookie_httponly_on(obj);
+ else
+ apreq_cookie_httponly_off(obj);
+ }
+
+ OUTPUT:
+ RETVAL
+
+UV
version(obj, val=0)
APR::Request::Cookie obj
UV val
Modified: httpd/apreq/trunk/include/apreq.h
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/include/apreq.h?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/include/apreq.h (original)
+++ httpd/apreq/trunk/include/apreq.h Mon Nov 15 18:34:20 2010
@@ -188,6 +188,19 @@
*/
#define APREQ_COOKIE_SECURE_MASK 1
+/**
+ * Cookie's HttpOnly Bit
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_BIT 14
+/**
+ * Cookie's HttpOnly Mask
+ * @see APREQ_FLAGS_OFF @see APREQ_FLAGS_ON
+ * @see APREQ_FLAGS_GET @see APREQ_FLAGS_SET
+ */
+#define APREQ_COOKIE_HTTPONLY_MASK 1
+
/** Character encodings. */
typedef enum {
APREQ_CHARSET_ASCII =0,
Modified: httpd/apreq/trunk/include/apreq_cookie.h
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/include/apreq_cookie.h?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/include/apreq_cookie.h (original)
+++ httpd/apreq/trunk/include/apreq_cookie.h Mon Nov 15 18:34:20 2010
@@ -107,6 +107,27 @@ void apreq_cookie_secure_off(apreq_cooki
APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_SECURE);
}
+/** @return 1 if the HttpOnly flag is set, 0 otherwise. */
+static APR_INLINE
+unsigned apreq_cookie_is_httponly(const apreq_cookie_t *c) {
+ return APREQ_FLAGS_GET(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Sets the cookie's HttpOnly flag, meaning it is not
+ * accessible through client-side script in supported
+ * browsers.
+ */
+static APR_INLINE
+void apreq_cookie_httponly_on(apreq_cookie_t *c) {
+ APREQ_FLAGS_ON(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
+/** Turns off the cookie's HttpOnly flag. */
+static APR_INLINE
+void apreq_cookie_httponly_off(apreq_cookie_t *c) {
+ APREQ_FLAGS_OFF(c->flags, APREQ_COOKIE_HTTPONLY);
+}
+
/** @return 1 if the taint flag is set, 0 otherwise. */
static APR_INLINE
Modified: httpd/apreq/trunk/library/cookie.c
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/library/cookie.c?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/library/cookie.c (original)
+++ httpd/apreq/trunk/library/cookie.c Mon Nov 15 18:34:20 2010
@@ -119,6 +119,13 @@ static apr_status_t apreq_cookie_attr(ap
apreq_cookie_secure_off(c);
return APR_SUCCESS;
+ case 'h': /* httponly */
+ if (vlen > 0 && *val != '0' && strncasecmp("off",val,vlen))
+ apreq_cookie_httponly_on(c);
+ else
+ apreq_cookie_httponly_off(c);
+ return APR_SUCCESS;
+
};
return APR_ENOTIMPL;
@@ -468,6 +475,11 @@ APREQ_DECLARE(int) apreq_cookie_serializ
if (apreq_cookie_is_secure(c))
strcpy(f, "; secure");
+ f += strlen(f);
+
+ if (apreq_cookie_is_httponly(c))
+ strcpy(f, "; HttpOnly");
+
return apr_snprintf(buf, len, format, c->v.name, c->v.data,
NULL2EMPTY(c->path), NULL2EMPTY(c->domain), expires);
}
@@ -502,6 +514,11 @@ APREQ_DECLARE(int) apreq_cookie_serializ
if (apreq_cookie_is_secure(c))
strcpy(f, "; secure");
+ f += strlen(f);
+
+ if (apreq_cookie_is_httponly(c))
+ strcpy(f, "; HttpOnly");
+
return apr_snprintf(buf, len, format, c->v.name, c->v.data, version,
NULL2EMPTY(c->path), NULL2EMPTY(c->domain),
NULL2EMPTY(c->port), NULL2EMPTY(c->comment),
Modified:
httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
---
httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
(original)
+++
httpd/apreq/trunk/module/t/c-modules/apreq_cookie_test/mod_apreq_cookie_test.c
Mon Nov 15 18:34:20 2010
@@ -80,6 +80,11 @@ static int apreq_cookie_test_handler(req
apr_table_add(r->headers_out, "Set-Cookie2",
apreq_cookie_as_string(cookie, r->pool));
}
+ else if (strcmp(test, "httponly") == 0) {
+ apreq_cookie_httponly_on(cookie);
+ apr_table_add(r->headers_out, "Set-Cookie",
+ apreq_cookie_as_string(cookie, r->pool));
+ }
else {
size = strlen(cookie->v.data);
dest = apr_palloc(r->pool, size + 1);
Modified: httpd/apreq/trunk/module/t/cookie.t
URL:
http://svn.apache.org/viewvc/httpd/apreq/trunk/module/t/cookie.t?rev=1035390&r1=1035389&r2=1035390&view=diff
==============================================================================
--- httpd/apreq/trunk/module/t/cookie.t (original)
+++ httpd/apreq/trunk/module/t/cookie.t Mon Nov 15 18:34:20 2010
@@ -6,7 +6,7 @@ use Apache::Test;
use Apache::TestUtil;
use Apache::TestRequest qw(GET_BODY GET_HEAD);
-plan tests => 5, need_lwp;
+plan tests => 6, need_lwp;
require HTTP::Cookies;
@@ -47,7 +47,6 @@ my $location = "/apreq_cookie_test";
my $cookie = "$key=$value";
my ($header) = GET_HEAD("$location?test=$test&key=$key",
Cookie => $cookie) =~ /^#Set-Cookie:\s+(.+)/m;
-
ok t_cmp($header, $cookie, $test);
}
{
@@ -59,3 +58,12 @@ my $location = "/apreq_cookie_test";
Cookie => $cookie) =~ /^#Set-Cookie2:\s+(.+)/m;
ok t_cmp($header, qq{$key="$value"; Version=1; path="$location"}, $test);
}
+{
+ my $test = 'httponly';
+ my $key = 'apache';
+ my $value = 'ok';
+ my $cookie = "$key=$value; HttpOnly";
+ my ($header) = GET_HEAD("$location?test=$test&key=$key",
+ Cookie => $cookie) =~ /^#Set-Cookie:\s+(.+)/m;
+ ok t_cmp($header, $cookie, $test);
+}
