You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2020/06/08 15:27:25 UTC

[allura] 02/03: fixup! [#8362] Add secure attr to session cookie

This is an automated email from the ASF dual-hosted git repository.

kentontaylor pushed a commit to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 25737e23a26adb4a26c04b3062fb81e54c885f11
Author: Kenton Taylor <kt...@slashdotmedia.com>
AuthorDate: Tue Jun 2 15:05:41 2020 +0000

    fixup! [#8362] Add secure attr to session cookie
---
 Allura/allura/lib/custom_middleware.py | 3 ++-
 Allura/allura/lib/decorators.py        | 2 +-
 Allura/allura/lib/plugin.py            | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 521ad05..649b978 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -214,9 +214,10 @@ class CSRFMiddleware(object):
 
         def session_start_response(status, headers, exc_info=None):
             if dict(headers).get('Content-Type', '').startswith('text/html'):
+                use_secure = 'secure; ' if environ['beaker.session'].secure else ''
                 headers.append(
                     (str('Set-cookie'),
-                     str('%s=%s; secure; Path=/' % (self._cookie_name, cookie))))
+                     str('%s=%s; %sPath=/' % (self._cookie_name, cookie, use_secure))))
             return start_response(status, headers, exc_info)
 
         return self._app(environ, session_start_response)
diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py
index a4b9bd2..7eaeb22 100644
--- a/Allura/allura/lib/decorators.py
+++ b/Allura/allura/lib/decorators.py
@@ -219,7 +219,7 @@ def memorable_forget():
         :param raised: any error (redirect or exception) raised by the controller action
         """
         if _ok_to_forget(response, controller_result, raised):
-            response.set_cookie('memorable_forget', request.path)
+            response.set_cookie('memorable_forget', request.path, secure=request.environ['beaker.session'].secure)
 
     @decorator
     def _inner(func, *args, **kwargs):
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index a79750c..86bb0b5 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -1554,6 +1554,7 @@ class ThemeProvider(object):
         response.set_cookie(
             'site-notification',
             set_cookie,
+            secure=request.environ['beaker.session'].secure,
             max_age=timedelta(days=365))
         return note