Module: wine Branch: master Commit: f72975d811a7622f32d66315276a9c8857f20090 URL: http://source.winehq.org/git/wine.git/?a=commit;h=f72975d811a7622f32d6631527... Author: Jacek Caban <jacek(a)codeweavers.com> Date: Fri Jul 11 12:20:31 2014 +0200 wininet: Don't allow overriding httponly cookies with non-httponly ones. --- dlls/wininet/cookie.c | 8 ++++++++ dlls/wininet/tests/internet.c | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/dlls/wininet/cookie.c b/dlls/wininet/cookie.c index 0af8c38..8bf8953 100644 --- a/dlls/wininet/cookie.c +++ b/dlls/wininet/cookie.c @@ -963,6 +963,14 @@ DWORD set_cookie(const WCHAR *domain, const WCHAR *path, const WCHAR *cookie_nam if ((thisCookie = COOKIE_findCookie(thisCookieDomain, cookie_name))) { + if ((thisCookie->flags & INTERNET_COOKIE_HTTPONLY) && !(flags & INTERNET_COOKIE_HTTPONLY)) { + WARN("An attempt to override httponly cookie\n"); + SetLastError(ERROR_INVALID_OPERATION); + heap_free(data); + if (value != data) heap_free(value); + return COOKIE_STATE_REJECT; + } + if (!(thisCookie->flags & INTERNET_COOKIE_IS_SESSION)) update_persistent = TRUE; COOKIE_deleteCookie(thisCookie, FALSE); diff --git a/dlls/wininet/tests/internet.c b/dlls/wininet/tests/internet.c index 17e16ab..688f786 100644 --- a/dlls/wininet/tests/internet.c +++ b/dlls/wininet/tests/internet.c @@ -595,6 +595,21 @@ static void test_cookie_attrs(void) ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL); ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError()); ok(!strcmp(buf, "A=data"), "data = %s\n", buf); + + /* Try to override httponly cookie with non-httponly one */ + ret = InternetSetCookieA("http://cookie.attrs.com/bar", NULL, "A=test"); + ok(!ret && GetLastError() == ERROR_INVALID_OPERATION, "InternetSetCookie returned: %x (%u)\n", ret, GetLastError()); + + SetLastError(0xdeadbeef); + state = InternetSetCookieExA("http://cookie.attrs.com/bar", NULL, "A=data", 0, 0); + ok(state == COOKIE_STATE_REJECT && GetLastError() == ERROR_INVALID_OPERATION, + "InternetSetCookieEx returned: %x (%u)\n", ret, GetLastError()); + + size = sizeof(buf); + ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL); + ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError()); + ok(!strcmp(buf, "A=data"), "data = %s\n", buf); + } static void test_cookie_url(void)