ReceiveTempSMS
/
Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

wininet: Don't allow overriding httponly cookies with non-httponly ones.

This commit is contained in:
Jacek Caban 2014-07-11 12:20:31 +02:00 committed by Alexandre Julliard
parent deb1f047a7
commit f72975d811
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
dlls/wininet/cookie.c
View File

@ -963,6 +963,14 @@ DWORD set_cookie(const WCHAR *domain, const WCHAR *path, const WCHAR *cookie_nam
if ((thisCookie = COOKIE_findCookie(thisCookieDomain, cookie_name)))
{
if ((thisCookie->flags & INTERNET_COOKIE_HTTPONLY) && !(flags & INTERNET_COOKIE_HTTPONLY)) {
WARN("An attempt to override httponly cookie\n");
SetLastError(ERROR_INVALID_OPERATION);
heap_free(data);
if (value != data) heap_free(value);
return COOKIE_STATE_REJECT;
}
if (!(thisCookie->flags & INTERNET_COOKIE_IS_SESSION))
update_persistent = TRUE;
COOKIE_deleteCookie(thisCookie, FALSE);

15
dlls/wininet/tests/internet.c
View File

@ -595,6 +595,21 @@ static void test_cookie_attrs(void)
ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
/* Try to override httponly cookie with non-httponly one */
ret = InternetSetCookieA("http://cookie.attrs.com/bar", NULL, "A=test");
ok(!ret && GetLastError() == ERROR_INVALID_OPERATION, "InternetSetCookie returned: %x (%u)\n", ret, GetLastError());
SetLastError(0xdeadbeef);
state = InternetSetCookieExA("http://cookie.attrs.com/bar", NULL, "A=data", 0, 0);
ok(state == COOKIE_STATE_REJECT && GetLastError() == ERROR_INVALID_OPERATION,
"InternetSetCookieEx returned: %x (%u)\n", ret, GetLastError());
size = sizeof(buf);
ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
}
static void test_cookie_url(void)