Module: tools Branch: master Commit: f5d82db8fdded58a0524f7f1ab0a03756f6f724d URL: http://source.winehq.org/git/tools.git/?a=commit;h=f5d82db8fdded58a0524f7f1a...
Author: Francois Gouget fgouget@codeweavers.com Date: Tue Jul 11 12:39:59 2017 +0200
testbot/web: Only allow retrieving our cookies through Http.
The WineTestBot JavaScript code does not need to access cookies so reduce the attack surface (and possibly prevent some XSS attacks).
Signed-off-by: Francois Gouget fgouget@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/lib/WineTestBot/CGI/PageBase.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm index 0f89e46..04759ca 100644 --- a/testbot/lib/WineTestBot/CGI/PageBase.pm +++ b/testbot/lib/WineTestBot/CGI/PageBase.pm @@ -163,7 +163,8 @@ sub SetCookies($) $Cookie = CGI::Cookie->new(-Name => "SessionId", -Value => $Session->Id, -Expires => $Expire, - -Secure => $UseSSL); + -Secure => $UseSSL, + -HttpOnly => 1); $Request->err_headers_out->add("Set-Cookie", $Cookie); } else @@ -183,7 +184,8 @@ sub SetCookies($) $Cookie = CGI::Cookie->new(-Name => "SessionActive", -Value => $SessionPermanent, -Expires => $Expire, - -Secure => !1); + -Secure => !1, + -HttpOnly => 1); $Request->err_headers_out->add("Set-Cookie", $Cookie); } else