Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Issac Goldstand <ma...@beamartyr.net>]

On 09/11/2010 06:16, Adam Prime wrote:
> I had some time to kill tonight and after some screwing around produced
> the attached patch which may or may not be useful.  It's for the C API
> (I'm assuming anyway) and does pass on my laptop with the debian patch
> applied.
>
> I am not familiar with httpd or libapreq internals, and basically made
> this up as I was going along, stealing what was already there, so any
> feedback would be appreciated.
>
> Adam
>
> On 08/11/10 10:09 AM, Joe Schaefer wrote:
>> The patch looks good to me too.  I'd been planning
>> to implement this feature some weekend and the patch
>> is pretty much how I'd do it, so I'd +1 it once the
>> corresponding tests are written.
>>
>>
>>
>> ----- Original Message ----
>>> From: Issac Goldstand <ma...@beamartyr.net>
>>> To: apreq-dev@httpd.apache.org
>>> Sent: Mon, November 8, 2010 8:17:31 AM
>>> Subject: Re: HttpOnly
>>>
>>> On 08/11/2010 12:48, Clinton Gormley wrote:
>>>> Hi all
>>>>
>>>> Any  plans on adding support to Apache2::Cookie for the HttpOnly  flag?
>>>>
>>>> I see a patch in Debian which does this:
>>>>
>>>>  
>> http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg543361.html
>>>>  thanks
>>>>
>>>> Clint
>>>>
>>>>
>>> The patch looks ok to me at  first glance.  If you're willing to write
>>> the unit test(s) for this, I'd  be happy to help push this .
>>>
All looks good.  Waiting for someone with more legal knowledge than I to
confirm that we can re-use the patch, and I'll commit to trunk.

We may also want to do a release.  With the small amount of development,
it could be years until this sees the light of day if we wait to package
more stuff into it :)  2.12 was released March, 2009, so I'd like to
call a vote to T&R 2.13.

[  ] Release 2.13 with the new HttpOnly cookie feature (once committed)
[  ] Don't release 2.13 yet

Thanks,
  Issac

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Issac Goldstand <ma...@beamartyr.net>]

> [X] Release 2.13 with the new HttpOnly cookie feature (once committed)
> [ ] Don't release 2.13 yet
Issac

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Issac Goldstand <ma...@beamartyr.net>]

Looks good.  As soon as I can commit the HttpOnly, I'll test and apply
this, too.

On 12/11/2010 15:11, Clinton Gormley wrote:
> On Fri, 2010-11-12 at 04:53 -0800, Joe Schaefer wrote:
>> There's another patch from Clinton that we should
>> apply too- it relates to test breakages coming from LWP's
>> mime-type change for pod files.
> Oooh - well remembered.  Here is the patch:
>
> http://permalink.gmane.org/gmane.comp.apache.apreq/4469
>
> clint
>       
>

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Clinton Gormley <cl...@traveljury.com>]

On Fri, 2010-11-12 at 04:53 -0800, Joe Schaefer wrote:
> There's another patch from Clinton that we should
> apply too- it relates to test breakages coming from LWP's
> mime-type change for pod files.

Oooh - well remembered.  Here is the patch:

http://permalink.gmane.org/gmane.comp.apache.apreq/4469

clint
      

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Joe Schaefer <jo...@yahoo.com>]

There's another patch from Clinton that we should
apply too- it relates to test breakages coming from LWP's
mime-type change for pod files.



----- Original Message ----
> From: Issac Goldstand <ma...@beamartyr.net>
> To: apreq-dev@httpd.apache.org
> Sent: Fri, November 12, 2010 5:30:18 AM
> Subject: Re: HttpOnly + [VOTE] T&R libapreq-2.13
> 
> On 09/11/2010 06:16, Adam Prime wrote:
> > I had some time to kill tonight  and after some screwing around produced
> > the attached patch which may or  may not be useful.  It's for the C API
> > (I'm assuming anyway) and  does pass on my laptop with the debian patch
> > applied.
> >
> > I  am not familiar with httpd or libapreq internals, and basically made
> >  this up as I was going along, stealing what was already there, so any
> >  feedback would be appreciated.
> >
> > Adam
> >
> > On 08/11/10  10:09 AM, Joe Schaefer wrote:
> >> The patch looks good to me too.   I'd been planning
> >> to implement this feature some weekend and the  patch
> >> is pretty much how I'd do it, so I'd +1 it once  the
> >> corresponding tests are  written.
> >>
> >>
> >>
> >> ----- Original Message  ----
> >>> From: Issac Goldstand <ma...@beamartyr.net>
> >>>  To: apreq-dev@httpd.apache.org
> >>>  Sent: Mon, November 8, 2010 8:17:31 AM
> >>> Subject: Re:  HttpOnly
> >>>
> >>> On 08/11/2010 12:48, Clinton Gormley  wrote:
> >>>> Hi all
> >>>>
> >>>>  Any  plans on adding support to Apache2::Cookie for the HttpOnly   flag?
> >>>>
> >>>> I see a patch in Debian which does  this:
> >>>>
> >>>>  
> >> 
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg543361.html
> >>>>   thanks
> >>>>
> >>>>  Clint
> >>>>
> >>>>
> >>> The patch looks ok  to me at  first glance.  If you're willing to write
> >>>  the unit test(s) for this, I'd  be happy to help push this  .
> >>>
> All looks good.  Waiting for someone with more legal  knowledge than I to
> confirm that we can re-use the patch, and I'll commit to  trunk.
> 
> We may also want to do a release.  With the small amount of  development,
> it could be years until this sees the light of day if we wait to  package
> more stuff into it :)  2.12 was released March, 2009, so I'd  like to
> call a vote to T&R 2.13.
> 
> [  ] Release 2.13 with the  new HttpOnly cookie feature (once committed)
> [  ] Don't release 2.13  yet
> 
> Thanks,
>   Issac
> 
> 
> 


      

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Mark Hedges <he...@formdata.biz>]

> > All looks good.  Waiting for someone with more legal
> > knowledge than I to confirm that we can re-use the
> > patch, and I'll commit to trunk.

My 2 cents, it seems like since everything in Debian is an
open-source license, the libapreq2 package is released under
its native license, and Robert Stone contributed the patch
to the Debian mailing list for inclusion in the package with
the license as it stands in Debian (which is the same), that
his act of contributing the patch, which included no
additional license stipulations, was implicit authorization
to use it and include it in the Debian package.  Since the
Debian package is the same license as the native source, you
should be able to lift it under those terms.

Mark

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Joe Schaefer <jo...@yahoo.com>]

----- Original Message ----

> From: Adam Prime <ad...@utoronto.ca>
> To: apreq-dev@httpd.apache.org
> Sent: Fri, November 12, 2010 11:07:42 PM
> Subject: Re: HttpOnly + [VOTE] T&R libapreq-2.13
> 
> On 12/11/10 05:28 PM, Adam Prime wrote:
> >> All looks good.   Waiting for someone with more legal knowledge than I to
> >> confirm that  we can re-use the patch, and I'll commit to trunk.
> >>
> >> We  may also want to do a release.  With the small amount of  development,
> >> it could be years until this sees the light of day if  we wait to package
> >> more stuff into it :)  2.12 was released  March, 2009, so I'd like to
> >> call a vote to T&R  2.13.
> >>
> >> [  ] Release 2.13 with the new HttpOnly  cookie feature (once committed)
> >> [  ] Don't release 2.13  yet
> >>
> > 
> > I have tests for the perl interface at home. I  can send that patch later
> > this evening.  I don't have a vote, but  i'd vote for getting it out ;)
> 
> The perl test is attached.  One thing  that should be noted about both
> these tests is that they only test HttpOnly  on the outgoing Set-Cookie:
> header.  From what i read, HttpOnly  shouldn't exist on Cookie: headers
> coming from the client, and the patch from  debian does not add support
> for parsing them out of Cookie: headers.  I  think known though, but i
> just wanted to make sure it was pointed out  explicitly.

I don't think the HttpOnly flag comes back to the server via the Cookie
header, so that's ok.  The patch does include support for an $HttpOnly
attribute for RFC-style cookies, but that's not called for in the documentation
on HttpOnly.  We could omit that portion of the patch without loss.


      

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Adam Prime <ad...@utoronto.ca>]

On 12/11/10 05:28 PM, Adam Prime wrote:
>> All looks good.  Waiting for someone with more legal knowledge than I to
>> confirm that we can re-use the patch, and I'll commit to trunk.
>>
>> We may also want to do a release.  With the small amount of development,
>> it could be years until this sees the light of day if we wait to package
>> more stuff into it :)  2.12 was released March, 2009, so I'd like to
>> call a vote to T&R 2.13.
>>
>> [  ] Release 2.13 with the new HttpOnly cookie feature (once committed)
>> [  ] Don't release 2.13 yet
>>
> 
> I have tests for the perl interface at home. I can send that patch later
> this evening.  I don't have a vote, but i'd vote for getting it out ;)

The perl test is attached.  One thing that should be noted about both
these tests is that they only test HttpOnly on the outgoing Set-Cookie:
header.  From what i read, HttpOnly shouldn't exist on Cookie: headers
coming from the client, and the patch from debian does not add support
for parsing them out of Cookie: headers.  I think known though, but i
just wanted to make sure it was pointed out explicitly.

Adam

Re: HttpOnly + [VOTE] T&R libapreq-2.13

[Adam Prime <ad...@utoronto.ca>]

> All looks good.  Waiting for someone with more legal knowledge than I to
> confirm that we can re-use the patch, and I'll commit to trunk.
>
> We may also want to do a release.  With the small amount of development,
> it could be years until this sees the light of day if we wait to package
> more stuff into it :)  2.12 was released March, 2009, so I'd like to
> call a vote to T&R 2.13.
>
> [  ] Release 2.13 with the new HttpOnly cookie feature (once committed)
> [  ] Don't release 2.13 yet
>

I have tests for the perl interface at home. I can send that patch later 
this evening.  I don't have a vote, but i'd vote for getting it out ;)

Adam