Bug#411947: marked as done (HttpOnly support for Apache::Cookie)

Fri, 15 Jun 2007 14:45:15 -0700 

Your message dated Sat, 16 Jun 2007 07:20:00 +0930
with message-id <[EMAIL PROTECTED]>
and subject line apache has been removed from unstable
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libapache-request-perl
Version: 1.33-1
Severity: wishlist

        As best I can tell Apache::Cookie has no direct way to add the
HttpOnly flag to the cookies it sets.  Although browser support for this
feature is still spotty, it is a useful measure to limit the impact of
cross-site scripting attacks in supported browsers.
        http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
provides some info on the intended syntax and support.

                                                Thanks,
                                                Robert Stone

diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.c 
libapache-request-perl-1.33/c/apache_cookie.c
--- libapache-request-perl-1.33.old/c/apache_cookie.c   2004-11-26 
15:02:03.000000000 -0800
+++ libapache-request-perl-1.33/c/apache_cookie.c       2007-02-21 
15:42:01.924134177 -0800
@@ -59,6 +59,14 @@
        }
        retval = c->secure ? "on" : "";
        break;
+    case 'h':
+       if(val) {
+           c->httponly =
+               !strcaseEQ(val, "off") &&
+               !strcaseEQ(val, "0");
+       }
+       retval = c->httponly ? "on" : "";
+       break;
     default:
        ap_log_rerror(APC_ERROR,
                      "[libapreq] unknown cookie pair: `%s' => `%s'", key, val);
@@ -78,6 +86,7 @@
     c->r = r;
     c->values = ap_make_array(r->pool, 1, sizeof(char *));
     c->secure = 0;
+    c->httponly = 0;
     c->name = c->expires = NULL;
 
     c->domain = NULL;
@@ -201,6 +210,9 @@
     if (c->secure) {
        cookie_push_arr(values, "secure");
     }
+    if(c->httponly) {
+       cookie_push_arr(values, "HttpOnly");
+    }
 
     cookie = ap_pstrcat(p, escape_url(p, c->name), "=", NULL);
     for (i=0; i<c->values->nelts; i++) {
diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.h 
libapache-request-perl-1.33/c/apache_cookie.h
--- libapache-request-perl-1.33.old/c/apache_cookie.h   2004-11-26 
15:02:03.000000000 -0800
+++ libapache-request-perl-1.33/c/apache_cookie.h       2007-02-21 
15:45:47.076077858 -0800
@@ -29,6 +29,7 @@
     char *expires;
     char *path;
     int secure;
+    int httponly;
 } ApacheCookie;
 
 #ifdef  __cplusplus
diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.pm 
libapache-request-perl-1.33/Cookie/Cookie.pm
--- libapache-request-perl-1.33.old/Cookie/Cookie.pm    2004-11-26 
15:02:04.000000000 -0800
+++ libapache-request-perl-1.33/Cookie/Cookie.pm        2007-02-21 
17:27:45.176540603 -0800
@@ -146,6 +146,13 @@
  my $secure = $cookie->secure;
  $cookie->secure(1);
 
+=head2 httponly
+
+Get or set the HttpOnly flag for the cookie:
+
+ my $HttpOnly = $cookie->httponly;
+ $cookie->httponly(1);
+
 =back
 
 =head1 CAVEATS
diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.xs 
libapache-request-perl-1.33/Cookie/Cookie.xs
--- libapache-request-perl-1.33.old/Cookie/Cookie.xs    2004-12-06 
06:49:46.000000000 -0800
+++ libapache-request-perl-1.33/Cookie/Cookie.xs        2007-02-21 
17:28:25.687726275 -0800
@@ -130,6 +130,9 @@
 #define ApacheCookie_secure(c, val) \
 ApacheCookie_attr(c, "secure", val)
 
+#define ApacheCookie_httponly(c, val) \
+ApacheCookie_attr(c, "httponly", val)
+
 MODULE = Apache::Cookie    PACKAGE = Apache::Cookie   PREFIX = ApacheCookie_
 
 PROTOTYPES: DISABLE 
@@ -297,6 +300,11 @@
     Apache::Cookie c
     char *val
 
+char *
+ApacheCookie_httponly(c, val=NULL)
+    Apache::Cookie c
+    char *val
+
 void
 ApacheCookie_bake(c)
     Apache::Cookie c
diff -Naur libapache-request-perl-1.33.old/libapreq.pod 
libapache-request-perl-1.33/libapreq.pod
--- libapache-request-perl-1.33.old/libapreq.pod        2004-11-26 
15:02:04.000000000 -0800
+++ libapache-request-perl-1.33/libapreq.pod    2007-02-21 17:26:16.902210826 
-0800
@@ -243,6 +243,12 @@
 of I<On> or I<Off>.  
 The default is I<Off>.
 
+=item -httponly
+
+Sets the I<HttpOnly> field to true or false using a given string value
+of I<On> or I<Off>.  
+The default is I<Off>.
+
 =back
 
 Example:

--- End Message ---
--- Begin Message --- 
Hi,

The apache package has now been removed from unstable, so this
package is obsolete.  If you still have this problem with the
libapache2-request-perl package, please file a report (or reopen
and reassign this one) against it.

Cheers,
Ron

--- End Message ---

Reply via email to