From d7ac95a7079b08ae722c4c22dabc283cf45aeb24 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Tue, 26 Oct 2021 19:09:39 -0700
Subject: [PATCH] fix(fastapi): limit cookie migration to whitelisted keys

Whitelisted keys: AURSID, AURTZ, AURLANG

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/util.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/aurweb/util.py b/aurweb/util.py
index f3048efe..c24cc1d0 100644
--- a/aurweb/util.py
+++ b/aurweb/util.py
@@ -104,9 +104,12 @@ def valid_ssh_pubkey(pk):
 
 
 def migrate_cookies(request, response):
+    whitelist = {"AURSID", "AURTZ", "AURLANG"}
+
     secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
     for k, v in request.cookies.items():
-        response.set_cookie(k, v, secure=secure_cookies, httponly=True)
+        if k in whitelist:
+            response.set_cookie(k, v, secure=secure_cookies, httponly=True)
     return add_samesite_fields(response, "strict")