ruby-changes:38415
From: xibbar <ko1@a...>
Date: Fri, 15 May 2015 08:27:29 +0900 (JST)
Subject: [ruby-changes:38415] xibbar:r50496 (trunk): * lib/cgi/cookie.rb: Implement HttpOnly flag for cookies.
xibbar 2015-05-15 08:27:01 +0900 (Fri, 15 May 2015) New Revision: 50496 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=50496 Log: * lib/cgi/cookie.rb: Implement HttpOnly flag for cookies. [fix GH-887] Patch by @martinpovolny Modified files: trunk/ChangeLog trunk/lib/cgi/cookie.rb trunk/test/cgi/test_cgi_cookie.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 50495) +++ ChangeLog (revision 50496) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Fri May 15 08:24:28 2015 Takeyuki FUJIOKA <xibbar@r...> + + * lib/cgi/cookie.rb: Implement HttpOnly flag for cookies. + [fix GH-887] Patch by @martinpovolny + Fri May 15 06:54:19 2015 Aaron Patterson <tenderlove@r...> * variable.c: Change autoload to call `require` through Ruby rather Index: lib/cgi/cookie.rb =================================================================== --- lib/cgi/cookie.rb (revision 50495) +++ lib/cgi/cookie.rb (revision 50496) @@ -10,29 +10,32 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L10 # == Examples of use # cookie1 = CGI::Cookie.new("name", "value1", "value2", ...) # cookie1 = CGI::Cookie.new("name" => "name", "value" => "value") - # cookie1 = CGI::Cookie.new('name' => 'name', - # 'value' => ['value1', 'value2', ...], - # 'path' => 'path', # optional - # 'domain' => 'domain', # optional - # 'expires' => Time.now, # optional - # 'secure' => true, # optional + # cookie1 = CGI::Cookie.new('name' => 'name', + # 'value' => ['value1', 'value2', ...], + # 'path' => 'path', # optional + # 'domain' => 'domain', # optional + # 'expires' => Time.now, # optional + # 'secure' => true, # optional + # 'httponly' => true # optional # ) # # cgi.out("cookie" => [cookie1, cookie2]) { "string" } # - # name = cookie1.name - # values = cookie1.value - # path = cookie1.path - # domain = cookie1.domain - # expires = cookie1.expires - # secure = cookie1.secure + # name = cookie1.name + # values = cookie1.value + # path = cookie1.path + # domain = cookie1.domain + # expires = cookie1.expires + # secure = cookie1.secure + # httponly = cookie1.httponly # - # cookie1.name = 'name' - # cookie1.value = ['value1', 'value2', ...] - # cookie1.path = 'path' - # cookie1.domain = 'domain' - # cookie1.expires = Time.now + 30 - # cookie1.secure = true + # cookie1.name = 'name' + # cookie1.value = ['value1', 'value2', ...] + # cookie1.path = 'path' + # cookie1.domain = 'domain' + # cookie1.expires = Time.now + 30 + # cookie1.secure = true + # cookie1.httponly = true class Cookie < Array @@accept_charset="UTF-8" unless defined?(@@accept_charset) @@ -60,6 +63,8 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L63 # secure:: whether this cookie is a secure cookie or not (default to # false). Secure cookies are only transmitted to HTTPS # servers. + # httponly:: whether this cookie is a HttpOnly cookie or not (default to + # false). HttpOnly cookies are not available to javascript. # # These keywords correspond to attributes of the cookie object. def initialize(name = "", *value) @@ -70,6 +75,7 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L75 %r|^(.*/)|.match(ENV["SCRIPT_NAME"]) @path = ($1 or "") @secure = false + @httponly = false return super(value) end @@ -89,7 +95,8 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L95 end @domain = options["domain"] @expires = options["expires"] - @secure = options["secure"] == true ? true : false + @secure = options["secure"] == true + @httponly = options["httponly"] == true super(value) end @@ -103,7 +110,9 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L110 # Time at which this cookie expires, as a +Time+ attr_accessor :expires # True if this cookie is secure; false otherwise - attr_reader("secure") + attr_reader :secure + # True if this cookie is httponly; false otherwise + attr_reader :httponly # Returns the value or list of values for this cookie. def value @@ -119,8 +128,14 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L128 # # +val+ must be a boolean. def secure=(val) - @secure = val if val == true or val == false - @secure + @secure = !!val + end + + # Set whether the Cookie is a httponly cookie or not. + # + # +val+ must be a boolean. + def httponly=(val) + @httponly = !!val end # Convert the Cookie to its string representation. @@ -130,7 +145,8 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L145 buf << "; domain=#{@domain}" if @domain buf << "; path=#{@path}" if @path buf << "; expires=#{CGI::rfc1123_date(@expires)}" if @expires - buf << "; secure" if @secure == true + buf << "; secure" if @secure + buf << "; HttpOnly" if @httponly buf end Index: test/cgi/test_cgi_cookie.rb =================================================================== --- test/cgi/test_cgi_cookie.rb (revision 50495) +++ test/cgi/test_cgi_cookie.rb (revision 50496) @@ -31,6 +31,7 @@ class CGICookieTest < Test::Unit::TestCa https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_cookie.rb#L31 assert_nil(cookie.expires) assert_equal('', cookie.path) assert_equal(false, cookie.secure) + assert_equal(false, cookie.httponly) assert_equal("name1=val1&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93; path=", cookie.to_s) end @@ -45,6 +46,7 @@ class CGICookieTest < Test::Unit::TestCa https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_cookie.rb#L46 'domain'=>'www.example.com', 'expires'=>t, 'secure'=>true, + 'httponly'=>true ) assert_equal('name1', cookie.name) assert_equal(value, cookie.value) @@ -52,7 +54,8 @@ class CGICookieTest < Test::Unit::TestCa https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_cookie.rb#L54 assert_equal(t, cookie.expires) assert_equal('/cgi-bin/myapp/', cookie.path) assert_equal(true, cookie.secure) - assert_equal('name1=val1&%26%3C%3E%22&%A5%E0%A5%B9%A5%AB; domain=www.example.com; path=/cgi-bin/myapp/; expires=Tue, 31 Dec 2030 23:59:59 GMT; secure', cookie.to_s) + assert_equal(true, cookie.httponly) + assert_equal('name1=val1&%26%3C%3E%22&%A5%E0%A5%B9%A5%AB; domain=www.example.com; path=/cgi-bin/myapp/; expires=Tue, 31 Dec 2030 23:59:59 GMT; secure; HttpOnly', cookie.to_s) end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/