diff options
author | Dylan Simon <dylan@dylex.net> | 2011-09-14 17:30:42 -0400 |
---|---|---|
committer | Dylan Simon <dylan@dylex.net> | 2011-09-17 23:39:45 -0400 |
commit | a964be6bd96583f8735fd297856f1c9845850f6a (patch) | |
tree | 332bf3ed489975a76b53d92e6103df306247e919 /examples/data | |
parent | 23dbcac12ebfd4391132dd27e646fcf892108502 (diff) |
preserve HttpOnly flag on cookies to prevent XSS attacks
Diffstat (limited to 'examples/data')
-rw-r--r-- | examples/data/plugins/cookies.py | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py index e29ee36..a09cf69 100644 --- a/examples/data/plugins/cookies.py +++ b/examples/data/plugins/cookies.py @@ -39,7 +39,9 @@ class TextStore(object): 'TRUE' : 'https', 'FALSE' : 'http' } + extra = '' if cookie[0].startswith("#HttpOnly_"): + extra = 'Only' domain = cookie[0][len("#HttpOnly_"):] elif cookie[0].startswith('#'): return None @@ -50,7 +52,7 @@ class TextStore(object): cookie[2], cookie[5], cookie[6], - scheme[cookie[3]], + scheme[cookie[3]] + extra, cookie[4]) except (KeyError,IndexError): # Let malformed rows pass through like comments @@ -60,9 +62,17 @@ class TextStore(object): """Convert cookie event to cookie.txt row""" secure = { 'https' : 'TRUE', - 'http' : 'FALSE' + 'http' : 'FALSE', + 'httpsOnly' : 'TRUE', + 'httpOnly' : 'FALSE' } - return (cookie[0], + http_only = { + 'https' : '', + 'http' : '', + 'httpsOnly' : '#HttpOnly_', + 'httpOnly' : '#HttpOnly_' + } + return (http_only[cookie[4]] + cookie[0], 'TRUE' if cookie[0].startswith('.') else 'FALSE', cookie[1], secure[cookie[4]], |