Jacek Caban : wininet: Don' t allow overriding httponly cookies with non-httponly ones.
Alexandre Julliard
julliard at wine.codeweavers.com
Fri Jul 11 13:37:32 CDT 2014
Module: wine
Branch: master
Commit: f72975d811a7622f32d66315276a9c8857f20090
URL: http://source.winehq.org/git/wine.git/?a=commit;h=f72975d811a7622f32d66315276a9c8857f20090
Author: Jacek Caban <jacek at codeweavers.com>
Date: Fri Jul 11 12:20:31 2014 +0200
wininet: Don't allow overriding httponly cookies with non-httponly ones.
---
dlls/wininet/cookie.c | 8 ++++++++
dlls/wininet/tests/internet.c | 15 +++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/dlls/wininet/cookie.c b/dlls/wininet/cookie.c
index 0af8c38..8bf8953 100644
--- a/dlls/wininet/cookie.c
+++ b/dlls/wininet/cookie.c
@@ -963,6 +963,14 @@ DWORD set_cookie(const WCHAR *domain, const WCHAR *path, const WCHAR *cookie_nam
if ((thisCookie = COOKIE_findCookie(thisCookieDomain, cookie_name)))
{
+ if ((thisCookie->flags & INTERNET_COOKIE_HTTPONLY) && !(flags & INTERNET_COOKIE_HTTPONLY)) {
+ WARN("An attempt to override httponly cookie\n");
+ SetLastError(ERROR_INVALID_OPERATION);
+ heap_free(data);
+ if (value != data) heap_free(value);
+ return COOKIE_STATE_REJECT;
+ }
+
if (!(thisCookie->flags & INTERNET_COOKIE_IS_SESSION))
update_persistent = TRUE;
COOKIE_deleteCookie(thisCookie, FALSE);
diff --git a/dlls/wininet/tests/internet.c b/dlls/wininet/tests/internet.c
index 17e16ab..688f786 100644
--- a/dlls/wininet/tests/internet.c
+++ b/dlls/wininet/tests/internet.c
@@ -595,6 +595,21 @@ static void test_cookie_attrs(void)
ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
+
+ /* Try to override httponly cookie with non-httponly one */
+ ret = InternetSetCookieA("http://cookie.attrs.com/bar", NULL, "A=test");
+ ok(!ret && GetLastError() == ERROR_INVALID_OPERATION, "InternetSetCookie returned: %x (%u)\n", ret, GetLastError());
+
+ SetLastError(0xdeadbeef);
+ state = InternetSetCookieExA("http://cookie.attrs.com/bar", NULL, "A=data", 0, 0);
+ ok(state == COOKIE_STATE_REJECT && GetLastError() == ERROR_INVALID_OPERATION,
+ "InternetSetCookieEx returned: %x (%u)\n", ret, GetLastError());
+
+ size = sizeof(buf);
+ ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
+ ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
+ ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
+
}
static void test_cookie_url(void)
More information about the wine-cvs
mailing list