external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(fastapi): limit cookie migration to whitelisted keys

Browse source 
Whitelisted keys: AURSID, AURTZ, AURLANG

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-10-26 19:09:39 -07:00
parent 65be8b8e07
commit d7ac95a707
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
aurweb/util.py
View file

@ -104,9 +104,12 @@ def valid_ssh_pubkey(pk):
def migrate_cookies(request, response):
whitelist = {"AURSID", "AURTZ", "AURLANG"}
secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
for k, v in request.cookies.items():
response.set_cookie(k, v, secure=secure_cookies, httponly=True)
if k in whitelist:
response.set_cookie(k, v, secure=secure_cookies, httponly=True)
return add_samesite_fields(response, "strict")