On Wed, Feb 21, 2007 at 05:53:56PM -0800, Robert Stone wrote:
> Package: libapache-request-perl
> Version: 1.33-1
> Severity: wishlist
>
> As best I can tell Apache::Cookie has no direct way to add the
> HttpOnly flag to the cookies it sets. Although browser support for this
> feature is still spotty, it is a useful measure to limit the impact of
> cross-site scripting attacks in supported browsers.
> http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
> provides some info on the intended syntax and support.
This new feature is unlikely to be implemented in Apache::Cookie - this
package has not seen an upstream release since 2004. I don't wish to
maintain a Debian-specific patch just for this.
Might I suggest you look into moving to mod_perl v2 / Apache2::Request /
Apache2::Cookie? That seems a better place for these sorts of new
features to be implemented.
--
_ivan
> diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.c
> libapache-request-perl-1.33/c/apache_cookie.c
> --- libapache-request-perl-1.33.old/c/apache_cookie.c 2004-11-26
> 15:02:03.000000000 -0800
> +++ libapache-request-perl-1.33/c/apache_cookie.c 2007-02-21
> 15:42:01.924134177 -0800
> @@ -59,6 +59,14 @@
> }
> retval = c->secure ? "on" : "";
> break;
> + case 'h':
> + if(val) {
> + c->httponly =
> + !strcaseEQ(val, "off") &&
> + !strcaseEQ(val, "0");
> + }
> + retval = c->httponly ? "on" : "";
> + break;
> default:
> ap_log_rerror(APC_ERROR,
> "[libapreq] unknown cookie pair: `%s' => `%s'", key, val);
> @@ -78,6 +86,7 @@
> c->r = r;
> c->values = ap_make_array(r->pool, 1, sizeof(char *));
> c->secure = 0;
> + c->httponly = 0;
> c->name = c->expires = NULL;
>
> c->domain = NULL;
> @@ -201,6 +210,9 @@
> if (c->secure) {
> cookie_push_arr(values, "secure");
> }
> + if(c->httponly) {
> + cookie_push_arr(values, "HttpOnly");
> + }
>
> cookie = ap_pstrcat(p, escape_url(p, c->name), "=", NULL);
> for (i=0; i<c->values->nelts; i++) {
> diff -Naur libapache-request-perl-1.33.old/c/apache_cookie.h
> libapache-request-perl-1.33/c/apache_cookie.h
> --- libapache-request-perl-1.33.old/c/apache_cookie.h 2004-11-26
> 15:02:03.000000000 -0800
> +++ libapache-request-perl-1.33/c/apache_cookie.h 2007-02-21
> 15:45:47.076077858 -0800
> @@ -29,6 +29,7 @@
> char *expires;
> char *path;
> int secure;
> + int httponly;
> } ApacheCookie;
>
> #ifdef __cplusplus
> diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.pm
> libapache-request-perl-1.33/Cookie/Cookie.pm
> --- libapache-request-perl-1.33.old/Cookie/Cookie.pm 2004-11-26
> 15:02:04.000000000 -0800
> +++ libapache-request-perl-1.33/Cookie/Cookie.pm 2007-02-21
> 17:27:45.176540603 -0800
> @@ -146,6 +146,13 @@
> my $secure = $cookie->secure;
> $cookie->secure(1);
>
> +=head2 httponly
> +
> +Get or set the HttpOnly flag for the cookie:
> +
> + my $HttpOnly = $cookie->httponly;
> + $cookie->httponly(1);
> +
> =back
>
> =head1 CAVEATS
> diff -Naur libapache-request-perl-1.33.old/Cookie/Cookie.xs
> libapache-request-perl-1.33/Cookie/Cookie.xs
> --- libapache-request-perl-1.33.old/Cookie/Cookie.xs 2004-12-06
> 06:49:46.000000000 -0800
> +++ libapache-request-perl-1.33/Cookie/Cookie.xs 2007-02-21
> 17:28:25.687726275 -0800
> @@ -130,6 +130,9 @@
> #define ApacheCookie_secure(c, val) \
> ApacheCookie_attr(c, "secure", val)
>
> +#define ApacheCookie_httponly(c, val) \
> +ApacheCookie_attr(c, "httponly", val)
> +
> MODULE = Apache::Cookie PACKAGE = Apache::Cookie PREFIX = ApacheCookie_
>
> PROTOTYPES: DISABLE
> @@ -297,6 +300,11 @@
> Apache::Cookie c
> char *val
>
> +char *
> +ApacheCookie_httponly(c, val=NULL)
> + Apache::Cookie c
> + char *val
> +
> void
> ApacheCookie_bake(c)
> Apache::Cookie c
> diff -Naur libapache-request-perl-1.33.old/libapreq.pod
> libapache-request-perl-1.33/libapreq.pod
> --- libapache-request-perl-1.33.old/libapreq.pod 2004-11-26
> 15:02:04.000000000 -0800
> +++ libapache-request-perl-1.33/libapreq.pod 2007-02-21 17:26:16.902210826
> -0800
> @@ -243,6 +243,12 @@
> of I<On> or I<Off>.
> The default is I<Off>.
>
> +=item -httponly
> +
> +Sets the I<HttpOnly> field to true or false using a given string value
> +of I<On> or I<Off>.
> +The default is I<Off>.
> +
> =back
>
> Example:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
