From 1203c5cac84304d1daa01a8f0780f98d794cd08c Mon Sep 17 00:00:00 2001 From: Tibor Simko Date: Tue, 28 Apr 2015 13:01:35 +0200 Subject: [PATCH] WebStyle: HttpOnly cookie attribute * SECURITY Adds back the `HttpOnly` cookie attribute in order to better protect against potential XSS vulnerabilities. (closes #3064) Signed-off-by: Tibor Simko --- modules/websession/lib/session.py | 4 ++-- modules/webstyle/lib/webinterface_handler_wsgi_utils.py | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/websession/lib/session.py b/modules/websession/lib/session.py index 6dc299fb23..878048ed02 100644 --- a/modules/websession/lib/session.py +++ b/modules/websession/lib/session.py @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- ## This file is part of Invenio. -## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. +## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2015 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as @@ -271,7 +271,7 @@ def make_cookie(self): @return: a session cookie. @rtpye: {mod_python.Cookie.Cookie} """ - cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid) + cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid, HttpOnly=True) cookie.path = '/' if self._remember_me: diff --git a/modules/webstyle/lib/webinterface_handler_wsgi_utils.py b/modules/webstyle/lib/webinterface_handler_wsgi_utils.py index 44cfcefb90..5d86c58289 100644 --- a/modules/webstyle/lib/webinterface_handler_wsgi_utils.py +++ b/modules/webstyle/lib/webinterface_handler_wsgi_utils.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- ## This file is part of Invenio. -## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN. +## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2015 CERN. ## ## Invenio is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as @@ -191,8 +191,10 @@ def __str__(self): # The attribute _valid_attr is provided by the metaclass 'metaCookie'. for name in self._valid_attr: if hasattr(self, name): - if name in ("secure", "discard", "httponly"): + if name in ("secure", "discard"): result.append(name) + elif name == "httponly": + result.append("HttpOnly") else: result.append("%s=%s" % (name, getattr(self, name))) # pylint: enable=E1101