Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Skip SameSite=Lax is cookie is not defined
  • Loading branch information
ikus060 committed Oct 21, 2021
1 parent 753533b commit 42455b1
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 2 deletions.
2 changes: 1 addition & 1 deletion rdiffweb/controller/dispatch.py
Expand Up @@ -124,7 +124,7 @@ def static(path):
content_type = mimetypes.types_map.get(ext, None) # @UndefinedVariable

@cherrypy.expose
@cherrypy.config(**{'tools.authform.on': False})
@cherrypy.config(**{'tools.authform.on': False, 'tools.sessions.on': False})
def handler(*args, **kwargs):
if cherrypy.request.method not in ('GET', 'HEAD'):
return None
Expand Down
3 changes: 2 additions & 1 deletion rdiffweb/controller/filter_authentication.py
Expand Up @@ -257,7 +257,8 @@ def _set_same_site(self):
# https://github.com/cherrypy/cherrypy/issues/1767
# Force SameSite to Lax
cookie = cherrypy.serving.response.cookie.get('session_id', None)
cookie['samesite'] = 'Lax'
if cookie:
cookie['samesite'] = 'Lax'

def run(self):
if cherrypy.request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
Expand Down
4 changes: 4 additions & 0 deletions rdiffweb/controller/tests/test_check_links.py
Expand Up @@ -42,9 +42,13 @@ def test_links(self):
todo = OrderedDict()
todo["/"] = "/"
self.getPage("/")
# Store the original cookie since it get replace during execution.
self.assertIsNotNone(self.cookies)
cookies = self.cookies
while todo:
page, ref = todo.popitem(last=False)
# Query page
self.cookies = cookies
self.getPage(page)
# Check status
self.assertStatus('200 OK', "can't access page [%s] referenced by [%s]" % (page, ref))
Expand Down
8 changes: 8 additions & 0 deletions rdiffweb/controller/tests/test_csrf.py
Expand Up @@ -32,6 +32,14 @@ def test_samesite_lax(self):
cookie = self.assertHeader('Set-Cookie')
self.assertIn('SameSite=Lax', cookie)

def test_samesite_lax_without_session(self):
# Given not a client sending no cookie
self.cookies = None
# When a query is made to a static path (without session)
self.getPage('/static/blue.css')
# Then Set-Cookie is not defined.
self.assertNoHeader('Set-Cookie')

def test_get_with_wrong_origin(self):
# Given a GET request made to rdiffweb
# When the request is made using a different origin
Expand Down

0 comments on commit 42455b1

Please sign in to comment.