Item10061: Since Foswiki::Validation is a static class, the user of i…

…t should take car os request-specific issues, such as the Cookie's secure flag. (also run perltidy on Foswiki.pm) git-svn-id: http://svn.foswiki.org/branches/Release01x01@10837 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Feb 27, 2011 · b932f0e · b932f0e
1 parent 6095f08
commit b932f0e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 16 deletions.
diff --git a/core/lib/Foswiki.pm b/core/lib/Foswiki.pm
@@ -155,7 +155,7 @@ BEGIN {
         }
     }
     else {
-        $Error::Debug = 0;        # no verbose stack traces 
+        $Error::Debug = 0;        # no verbose stack traces
     }
 
     # DO NOT CHANGE THE FORMAT OF $VERSION
@@ -325,7 +325,7 @@ BEGIN {
     # readConfig is defined in Foswiki::Configure::Load to allow overriding it
     if ( Foswiki::Configure::Load::readConfig() ) {
         $Foswiki::cfg{isVALID} = 1;
-        }
+    }
 
     if ( $Foswiki::cfg{WarningsAreErrors} ) {
 
@@ -728,9 +728,10 @@ sub writeCompletePage {
 
             # At least one form has been touched; add the validation
             # cookie
+            my $valCookie = Foswiki::Validation::getCookie($cgis);
+            $valCookie->secure( $this->{request}->secure );
             $this->{response}
-              ->cookies( [ $this->{response}->cookies,
-                Foswiki::Validation::getCookie($cgis) ] );
+              ->cookies( [ $this->{response}->cookies, $valCookie ] );
 
             # Add the JS module to the page. Note that this is *not*
             # incorporated into the foswikilib.js because that module
@@ -1424,7 +1425,7 @@ sub _make_params {
     my $notfirst = shift;
     my $url      = '';
     my $ps       = '';
-    my $anchor = '';
+    my $anchor   = '';
     while ( my $p = shift @_ ) {
         if ( $p eq '#' ) {
             $anchor = '#' . urlEncode( shift(@_) );
@@ -1617,8 +1618,7 @@ sub new {
         # but don't overwrite the setting from configure, if there is one.
         # This is especially important when the admin has *chosen*
         # to use the compatibility logger.
-        if (not defined $Foswiki::cfg{LogFileName})
-        {
+        if ( not defined $Foswiki::cfg{LogFileName} ) {
             $Foswiki::cfg{LogFileName} = "$Foswiki::cfg{Log}{Dir}/events.log";
         }
     }
@@ -2458,8 +2458,9 @@ sub expandMacrosOnTopicCreation {
         $p->{value} =
           _processMacros( $this, $p->{value}, \&_expandMacroOnTopicCreation,
             $topicObject, 16 );
+
         # kill markers used to prevent variable expansion
-        $p->{value} =~  s/%NOP%//g;
+        $p->{value} =~ s/%NOP%//g;
 
     }
 }

diff --git a/core/lib/Foswiki/Validation.pm b/core/lib/Foswiki/Validation.pm
@@ -136,6 +136,9 @@ Get a double submission cookie
 The cookie is a non-HttpOnly cookie that contains the current session ID
 and a secret. The secret is constant for a given session.
 
+The caller should adjust the =-secure= flag of the cookie, according to the
+request being processed.
+
 =cut
 
 sub getCookie {
@@ -144,20 +147,12 @@ sub getCookie {
     my $secret = _getSecret($cgis);
 
     # Add the cookie to the response
-    # TODO: -secure option should be abstraced out - see comments on Item:10061
     require CGI::Cookie;
     my $cookie = CGI::Cookie->new(
         -name  => _getSecretCookieName(),
         -value => $secret,
         -path  => '/',
         -httponly => 0,    # we *want* JS to be able to read it!
-        -secure   => (
-            (
-                     ( $ENV{HTTPS} && ( uc( $ENV{HTTPS} ) eq 'ON' ) )
-                  || ( $ENV{SERVER_PORT} && ( $ENV{SERVER_PORT} == 443 ) )
-            ) ? 1 : 0
-        ),
-
     );
 
     return $cookie;