This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push: new 07d0f23 [#8362] Add secure attr to several cookies 07d0f23 is described below commit 07d0f23cb0216f5edeaa188fe02120fe193170ab Author: Kenton Taylor <ktay...@slashdotmedia.com> AuthorDate: Fri May 29 14:54:13 2020 +0000 [#8362] Add secure attr to several cookies --- Allura/allura/lib/custom_middleware.py | 3 ++- Allura/allura/lib/decorators.py | 2 +- Allura/allura/lib/plugin.py | 3 ++- Allura/allura/public/nf/js/allura-base.js | 3 ++- Allura/allura/public/nf/js/maximize-content.js | 2 +- Allura/allura/public/nf/js/memorable.js | 2 +- Allura/allura/tests/test_plugin.py | 15 +++++++++++---- 7 files changed, 20 insertions(+), 10 deletions(-) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 1b21f92..649b978 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -214,9 +214,10 @@ class CSRFMiddleware(object): def session_start_response(status, headers, exc_info=None): if dict(headers).get('Content-Type', '').startswith('text/html'): + use_secure = 'secure; ' if environ['beaker.session'].secure else '' headers.append( (str('Set-cookie'), - str('%s=%s; Path=/' % (self._cookie_name, cookie)))) + str('%s=%s; %sPath=/' % (self._cookie_name, cookie, use_secure)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response) diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py index a4b9bd2..7eaeb22 100644 --- a/Allura/allura/lib/decorators.py +++ b/Allura/allura/lib/decorators.py @@ -219,7 +219,7 @@ def memorable_forget(): :param raised: any error (redirect or exception) raised by the controller action """ if _ok_to_forget(response, controller_result, raised): - response.set_cookie('memorable_forget', request.path) + response.set_cookie('memorable_forget', request.path, secure=request.environ['beaker.session'].secure) @decorator def _inner(func, *args, **kwargs): diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py index a79750c..bcf6527 100644 --- a/Allura/allura/lib/plugin.py +++ b/Allura/allura/lib/plugin.py @@ -261,7 +261,7 @@ class AuthenticationProvider(object): self.session.invalidate() self.session.save() response.delete_cookie('allura-loggedin') - response.set_cookie('memorable_forget', '/') + response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure) def validate_password(self, user, password): '''Check that provided password matches actual user password @@ -1554,6 +1554,7 @@ class ThemeProvider(object): response.set_cookie( 'site-notification', set_cookie, + secure=request.environ['beaker.session'].secure, max_age=timedelta(days=365)) return note diff --git a/Allura/allura/public/nf/js/allura-base.js b/Allura/allura/public/nf/js/allura-base.js index 6a4fd10..a4031d6 100644 --- a/Allura/allura/public/nf/js/allura-base.js +++ b/Allura/allura/public/nf/js/allura-base.js @@ -218,7 +218,8 @@ $(function(){ cookie = cookie.replace(new RegExp(note_id + '-([0-9]+)-False'), note_id + '-$1-True'); $.cookie('site-notification', cookie, { expires: 365, - path: '/' + path: '/', + secure: top.location.protocol==='https:' ? true : false }); e.preventDefault(); return false; diff --git a/Allura/allura/public/nf/js/maximize-content.js b/Allura/allura/public/nf/js/maximize-content.js index 7202125..881ab46 100644 --- a/Allura/allura/public/nf/js/maximize-content.js +++ b/Allura/allura/public/nf/js/maximize-content.js @@ -25,7 +25,7 @@ $(document).ready(function () { $('#maximize-content, #restore-content').click(function (e) { $('body').toggleClass('content-maximized'); var is_visible = $(".content-maximized").is(":visible") ? 'true' : 'false'; - $.cookie('maximizeView', is_visible); + $.cookie('maximizeView', is_visible, {secure: top.location.protocol==='https:' ? true : false}); e.preventDefault(); return false; diff --git a/Allura/allura/public/nf/js/memorable.js b/Allura/allura/public/nf/js/memorable.js index e756cea..9ef07a7 100644 --- a/Allura/allura/public/nf/js/memorable.js +++ b/Allura/allura/public/nf/js/memorable.js @@ -264,7 +264,7 @@ Memorable.forget = function(key_prefix){ localStorage.removeItem(localStorage.key(i)); } } - $.removeCookie('memorable_forget', { path: '/' }); + $.removeCookie('memorable_forget', { path: '/', secure: top.location.protocol==='https:' ? true : false }); } }; diff --git a/Allura/allura/tests/test_plugin.py b/Allura/allura/tests/test_plugin.py index e615b74..04cd893 100644 --- a/Allura/allura/tests/test_plugin.py +++ b/Allura/allura/tests/test_plugin.py @@ -338,9 +338,11 @@ class TestThemeProvider_notifications(object): note.page_tool_type = None SiteNotification.actives.return_value = [note] request.cookies = {'site-notification': 'deadbeef-1-false'} + request.environ['beaker.session'].secure = False + assert_is(ThemeProvider().get_site_notification(), note) response.set_cookie.assert_called_once_with( - 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365)) + 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365), secure=False) @patch('allura.lib.plugin.c', MagicMock()) @patch('allura.model.notification.SiteNotification') @@ -370,9 +372,11 @@ class TestThemeProvider_notifications(object): note.page_tool_type = None SiteNotification.actives.return_value = [note] request.cookies = {'site-notification': '0ddba11-1000-true'} + request.environ['beaker.session'].secure = False + assert_is(ThemeProvider().get_site_notification(), note) response.set_cookie.assert_called_once_with( - 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365)) + 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False) @patch('allura.lib.plugin.c', MagicMock()) @patch('allura.model.notification.SiteNotification') @@ -387,9 +391,10 @@ class TestThemeProvider_notifications(object): note.page_tool_type = None SiteNotification.actives.return_value = [note] request.cookies = {} + request.environ['beaker.session'].secure = False assert_is(ThemeProvider().get_site_notification(), note) response.set_cookie.assert_called_once_with( - 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365)) + 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False) @patch('allura.lib.plugin.c', MagicMock()) @patch('allura.model.notification.SiteNotification') @@ -404,9 +409,11 @@ class TestThemeProvider_notifications(object): note.page_tool_type = None SiteNotification.actives.return_value = [note] request.cookies = {'site-notification': 'deadbeef-1000-true-bad'} + request.environ['beaker.session'].secure = False + assert_is(ThemeProvider().get_site_notification(), note) response.set_cookie.assert_called_once_with( - 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365)) + 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False) @patch('allura.lib.plugin.c') @patch('allura.model.notification.SiteNotification')