Merge branch 'maint-1.1' into maint-1.2

* maint-1.1: WebStyle: HttpOnly cookie attribute Conflicts: modules/websession/lib/session.py modules/webstyle/lib/webinterface_handler_wsgi_utils.py Signed-off-by: Tibor Simko <tibor.simko@cern.ch>
CERNDocumentServer · Apr 28, 2015 · 94763fb · 94763fb
2 parents 6be96d4 + c3b3e1a
commit 94763fb
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/modules/websession/lib/session.py b/modules/websession/lib/session.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 # This file is part of Invenio.
-# Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 CERN.
+# Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2015 CERN.
 #
 # Invenio is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
@@ -345,10 +345,9 @@ def make_cookies(self):
             stub_cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME + 'stub', 'NO')
         cookies.append(stub_cookie)
         if self._req.is_https() or not CFG_SITE_SECURE_URL.startswith("https://") or uid <= 0:
-            cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid)
+            cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid, HttpOnly=True)
             if CFG_SITE_SECURE_URL.startswith("https://") and uid > 0:
                 cookie.secure = True
-                cookie.httponly = True
             cookies.append(cookie)
         for cookie in cookies:
             cookie.path = '/'

diff --git a/modules/webstyle/lib/webinterface_handler_wsgi_utils.py b/modules/webstyle/lib/webinterface_handler_wsgi_utils.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 # This file is part of Invenio.
-# Copyright (C) 2009, 2010, 2011 CERN.
+# Copyright (C) 2009, 2010, 2011, 2015 CERN.
 #
 # Invenio is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
@@ -183,8 +183,10 @@ def __str__(self):
         # The attribute _valid_attr is provided by the metaclass 'metaCookie'.
         for name in self._valid_attr:
             if hasattr(self, name):
-                if name in ("secure", "discard", "httponly"):
+                if name in ("secure", "discard"):
                     result.append(name)
+                elif name == "httponly":
+                    result.append("HttpOnly")
                 else:
                     result.append("%s=%s" % (name, getattr(self, name)))
         # pylint: enable=E1101