This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 07d0f23 [#8362] Add secure attr to several cookies
07d0f23 is described below
commit 07d0f23cb0216f5edeaa188fe02120fe193170ab
Author: Kenton Taylor <ktay...@slashdotmedia.com>
AuthorDate: Fri May 29 14:54:13 2020 +0000
[#8362] Add secure attr to several cookies
---
Allura/allura/lib/custom_middleware.py | 3 ++-
Allura/allura/lib/decorators.py | 2 +-
Allura/allura/lib/plugin.py | 3 ++-
Allura/allura/public/nf/js/allura-base.js | 3 ++-
Allura/allura/public/nf/js/maximize-content.js | 2 +-
Allura/allura/public/nf/js/memorable.js | 2 +-
Allura/allura/tests/test_plugin.py | 15 +++++++++++----
7 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py
b/Allura/allura/lib/custom_middleware.py
index 1b21f92..649b978 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -214,9 +214,10 @@ class CSRFMiddleware(object):
def session_start_response(status, headers, exc_info=None):
if dict(headers).get('Content-Type', '').startswith('text/html'):
+ use_secure = 'secure; ' if environ['beaker.session'].secure
else ''
headers.append(
(str('Set-cookie'),
- str('%s=%s; Path=/' % (self._cookie_name, cookie))))
+ str('%s=%s; %sPath=/' % (self._cookie_name, cookie,
use_secure))))
return start_response(status, headers, exc_info)
return self._app(environ, session_start_response)
diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py
index a4b9bd2..7eaeb22 100644
--- a/Allura/allura/lib/decorators.py
+++ b/Allura/allura/lib/decorators.py
@@ -219,7 +219,7 @@ def memorable_forget():
:param raised: any error (redirect or exception) raised by the
controller action
"""
if _ok_to_forget(response, controller_result, raised):
- response.set_cookie('memorable_forget', request.path)
+ response.set_cookie('memorable_forget', request.path,
secure=request.environ['beaker.session'].secure)
@decorator
def _inner(func, *args, **kwargs):
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index a79750c..bcf6527 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -261,7 +261,7 @@ class AuthenticationProvider(object):
self.session.invalidate()
self.session.save()
response.delete_cookie('allura-loggedin')
- response.set_cookie('memorable_forget', '/')
+ response.set_cookie('memorable_forget', '/',
secure=request.environ['beaker.session'].secure)
def validate_password(self, user, password):
'''Check that provided password matches actual user password
@@ -1554,6 +1554,7 @@ class ThemeProvider(object):
response.set_cookie(
'site-notification',
set_cookie,
+ secure=request.environ['beaker.session'].secure,
max_age=timedelta(days=365))
return note
diff --git a/Allura/allura/public/nf/js/allura-base.js
b/Allura/allura/public/nf/js/allura-base.js
index 6a4fd10..a4031d6 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -218,7 +218,8 @@ $(function(){
cookie = cookie.replace(new RegExp(note_id + '-([0-9]+)-False'),
note_id + '-$1-True');
$.cookie('site-notification', cookie, {
expires: 365,
- path: '/'
+ path: '/',
+ secure: top.location.protocol==='https:' ? true : false
});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/maximize-content.js
b/Allura/allura/public/nf/js/maximize-content.js
index 7202125..881ab46 100644
--- a/Allura/allura/public/nf/js/maximize-content.js
+++ b/Allura/allura/public/nf/js/maximize-content.js
@@ -25,7 +25,7 @@ $(document).ready(function () {
$('#maximize-content, #restore-content').click(function (e) {
$('body').toggleClass('content-maximized');
var is_visible = $(".content-maximized").is(":visible") ? 'true' :
'false';
- $.cookie('maximizeView', is_visible);
+ $.cookie('maximizeView', is_visible, {secure:
top.location.protocol==='https:' ? true : false});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/memorable.js
b/Allura/allura/public/nf/js/memorable.js
index e756cea..9ef07a7 100644
--- a/Allura/allura/public/nf/js/memorable.js
+++ b/Allura/allura/public/nf/js/memorable.js
@@ -264,7 +264,7 @@ Memorable.forget = function(key_prefix){
localStorage.removeItem(localStorage.key(i));
}
}
- $.removeCookie('memorable_forget', { path: '/' });
+ $.removeCookie('memorable_forget', { path: '/', secure:
top.location.protocol==='https:' ? true : false });
}
};
diff --git a/Allura/allura/tests/test_plugin.py
b/Allura/allura/tests/test_plugin.py
index e615b74..04cd893 100644
--- a/Allura/allura/tests/test_plugin.py
+++ b/Allura/allura/tests/test_plugin.py
@@ -338,9 +338,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1-false'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-2-False',
max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-2-False',
max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -370,9 +372,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': '0ddba11-1000-true'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -387,9 +391,10 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {}
+ request.environ['beaker.session'].secure = False
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -404,9 +409,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1000-true-bad'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False',
max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c')
@patch('allura.model.notification.SiteNotification')
