Commit f72975d8 authored by Jacek Caban's avatar Jacek Caban Committed by Alexandre Julliard

wininet: Don't allow overriding httponly cookies with non-httponly ones.

parent deb1f047
......@@ -963,6 +963,14 @@ DWORD set_cookie(const WCHAR *domain, const WCHAR *path, const WCHAR *cookie_nam
if ((thisCookie = COOKIE_findCookie(thisCookieDomain, cookie_name)))
{
if ((thisCookie->flags & INTERNET_COOKIE_HTTPONLY) && !(flags & INTERNET_COOKIE_HTTPONLY)) {
WARN("An attempt to override httponly cookie\n");
SetLastError(ERROR_INVALID_OPERATION);
heap_free(data);
if (value != data) heap_free(value);
return COOKIE_STATE_REJECT;
}
if (!(thisCookie->flags & INTERNET_COOKIE_IS_SESSION))
update_persistent = TRUE;
COOKIE_deleteCookie(thisCookie, FALSE);
......
......@@ -595,6 +595,21 @@ static void test_cookie_attrs(void)
ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
/* Try to override httponly cookie with non-httponly one */
ret = InternetSetCookieA("http://cookie.attrs.com/bar", NULL, "A=test");
ok(!ret && GetLastError() == ERROR_INVALID_OPERATION, "InternetSetCookie returned: %x (%u)\n", ret, GetLastError());
SetLastError(0xdeadbeef);
state = InternetSetCookieExA("http://cookie.attrs.com/bar", NULL, "A=data", 0, 0);
ok(state == COOKIE_STATE_REJECT && GetLastError() == ERROR_INVALID_OPERATION,
"InternetSetCookieEx returned: %x (%u)\n", ret, GetLastError());
size = sizeof(buf);
ret = InternetGetCookieExA("http://cookie.attrs.com/", NULL, buf, &size, INTERNET_COOKIE_HTTPONLY, NULL);
ok(ret, "InternetGetCookieEx failed: %u\n", GetLastError());
ok(!strcmp(buf, "A=data"), "data = %s\n", buf);
}
static void test_cookie_url(void)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment