Teach pragma set_httponly to apply only to certain cookies

E.g. for the default session cookie only: Pragma set_httponly=MV_SESSION_ID The change is backward-compatible, so this still applies to all cookies as before: Pragma set_httponly
interchange · Jan 9, 2019 · acad7bb · acad7bb
1 parent d8e443d
commit acad7bb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/doc/WHATSNEW-5.12 b/doc/WHATSNEW-5.12
@@ -70,6 +70,20 @@ Core
 * Refactor cookie-setting routine to avoid double ; and extra string copying
   and use canonical capitalization.
 
+* Teach pragma set_httponly to apply only to certain cookies.
+
+  E.g. for the default session cookie only:
+
+  Pragma set_httponly=MV_SESSION_ID
+
+  Or for that plus another arbitrary cookie "cart":
+
+  Pragma set_httponly=MV_SESSION_ID,cart
+
+  The old behavior of setting HttpOnly for all cookies still works as before, e.g.:
+
+  Pragma set_httponly
+
 * Add CounterDir configuration to allow counters to be defined by default in
   some place different than VendRoot.
 

diff --git a/lib/Vend/Server.pm b/lib/Vend/Server.pm
@@ -1,6 +1,6 @@
 # Vend::Server - Listen for Interchange CGI requests as a background server
 #
-# Copyright (C) 2002-2018 Interchange Development Group
+# Copyright (C) 2002-2019 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
 #
 # This program was originally based on Vend 0.2 and 0.3
@@ -24,7 +24,7 @@
 package Vend::Server;
 
 use vars qw($VERSION $Has_JSON $RUNDIR);
-$VERSION = '2.109';
+$VERSION = '2.110';
 
 use Cwd;
 use POSIX qw(setsid strftime);
@@ -585,6 +585,17 @@ sub create_cookie {
 		$sub->();
 	}
 
+	my $all_httponly;
+	my %httponly;
+	if (my $p = $::Pragma->{set_httponly}) {
+		if ($p eq '1') {
+			$all_httponly = 1;
+		}
+		else {
+			$httponly{$_} = undef for split /\s*,\s*/, $p;
+		}
+	}
+
 	my @jar;
 	push @jar, [
 				$::Instance->{CookieName} || 'MV_SESSION_ID',
@@ -624,7 +635,7 @@ sub create_cookie {
 			push @pieces, $expstring;
 		}
 		push @pieces, 'Secure' if $secure;
-		push @pieces, 'HttpOnly' if $::Pragma->{set_httponly};
+		push @pieces, 'HttpOnly' if $all_httponly or exists $httponly{$name};
 		my $header = join('; ', @pieces);
 #::logDebug("create_cookie made header: $header");
 		push @out, $header;