From e83f600fea906a03bfb0d59d85fddf2a4e4e95c2 Mon Sep 17 00:00:00 2001
From: Tibor Simko <tibor.simko@cern.ch>
Date: Tue, 28 Apr 2015 13:01:35 +0200
Subject: [PATCH] WebStyle: HttpOnly cookie attribute

* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes #3064)

Signed-off-by: Tibor Simko <tibor.simko@cern.ch>
Reviewed-by: Samuele Kaplun <samuele.kaplun@cern.ch>
---
 modules/websession/lib/session.py                       | 4 ++--
 modules/webstyle/lib/webinterface_handler_wsgi_utils.py | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/websession/lib/session.py b/modules/websession/lib/session.py
index 6dc299fb23..878048ed02 100644
--- a/modules/websession/lib/session.py
+++ b/modules/websession/lib/session.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 ## This file is part of Invenio.
-## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN.
+## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2015 CERN.
 ##
 ## Invenio is free software; you can redistribute it and/or
 ## modify it under the terms of the GNU General Public License as
@@ -271,7 +271,7 @@ def make_cookie(self):
         @return: a session cookie.
         @rtpye: {mod_python.Cookie.Cookie}
         """
-        cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid)
+        cookie = Cookie(CFG_WEBSESSION_COOKIE_NAME, self._sid, HttpOnly=True)
         cookie.path = '/'
 
         if self._remember_me:
diff --git a/modules/webstyle/lib/webinterface_handler_wsgi_utils.py b/modules/webstyle/lib/webinterface_handler_wsgi_utils.py
index 44cfcefb90..5d86c58289 100644
--- a/modules/webstyle/lib/webinterface_handler_wsgi_utils.py
+++ b/modules/webstyle/lib/webinterface_handler_wsgi_utils.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 ## This file is part of Invenio.
-## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 CERN.
+## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2015 CERN.
 ##
 ## Invenio is free software; you can redistribute it and/or
 ## modify it under the terms of the GNU General Public License as
@@ -191,8 +191,10 @@ def __str__(self):
         # The attribute _valid_attr is provided by the metaclass 'metaCookie'.
         for name in self._valid_attr:
             if hasattr(self, name):
-                if name in ("secure", "discard", "httponly"):
+                if name in ("secure", "discard"):
                     result.append(name)
+                elif name == "httponly":
+                    result.append("HttpOnly")
                 else:
                     result.append("%s=%s" % (name, getattr(self, name)))
         # pylint: enable=E1101