Module: check_mk
Branch: master
Commit: 86a8383d0d992d96a0053e1759500ea56b721da9
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=86a8383d0d992d…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 13:46:06 2015 +0200
#2392 SEC Auth cookie is always using "httponly" flag
All newly issued authentication cookies have the flag "httponly"
set now. This makes the cookie values inaccessible from scripts
executed in the browser, e.g. from Javascript. This secures the
cookie against some sorts of cookie stealing attempts.
See
https://www.owasp.org/index.php/HttpOnly for details.
---
.werks/2392 | 15 +++++++++++++++
ChangeLog | 1 +
web/htdocs/html_mod_python.py | 3 ++-
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/.werks/2392 b/.werks/2392
new file mode 100644
index 0000000..4b1a249
--- /dev/null
+++ b/.werks/2392
@@ -0,0 +1,15 @@
+Title: Auth cookie is always using "httponly" flag
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435664667
+
+All newly issued authentication cookies have the flag "httponly"
+set now. This makes the cookie values inaccessible from scripts
+executed in the browser, e.g. from Javascript. This secures the
+cookie against some sorts of cookie stealing attempts.
+
+See
https://www.owasp.org/index.php/HttpOnly for details.
diff --git a/ChangeLog b/ChangeLog
index ec63693..90509c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
* 2389 SEC: Fixed XSS using the _body_class parameter of views...
* 2390 SEC: Fixed possible XSS issue on views...
* 2391 SEC: Auth cookie is using "secure" flag when HTTPS request
detected...
+ * 2392 SEC: Auth cookie is always using "httponly" flag...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index 1c72e2f..c15d54c 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -70,7 +70,8 @@ class html_mod_python(htmllib.html):
return self.req.headers_in.get('X-Forwarded-Proto') == 'https'
def set_cookie(self, varname, value, expires = None):
- c = Cookie.Cookie(varname, value, path='/',
secure=self.is_ssl_request())
+ # httponly tells the browser not to make this cookie available to Javascript
+ c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request(),
httponly=True)
if expires is not None:
c.expires = expires