File novnc-0.4-secure-token-cookie.patch of Package novnc

Overview Repositories Revisions Requests Users Attributes Meta

File novnc-0.4-secure-token-cookie.patch of Package novnc

From ad941faddead705cd611921730054767a0b32dcd Mon Sep 17 00:00:00 2001
From: Takashi Natsume <natsume.takashi@lab.ntt.co.jp>
Date: Mon, 28 Oct 2013 12:02:30 +0000
Subject: [PATCH] Adds support for secure attribute on token cookie (bnc#922233)

https://bugzilla.suse.com/show_bug.cgi?id=922233  (CVE-2013-7436)
This patch adds support for the secure attribute on token
cookies (sent by nova-novncproxy). If the https is used
to transfer the cookie, the secure attribute is set thus
restricting server requestes to secure conections only.
This should prevent man-in-the-middle attacks.
---
 include/webutil.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Index: noVNC-0.4/include/webutil.js
===================================================================
--- noVNC-0.4.orig/include/webutil.js
+++ noVNC-0.4/include/webutil.js
@@ -1,6 +1,7 @@
 /*
  * noVNC: HTML5 VNC client
  * Copyright (C) 2012 Joel Martin
+ * Copyright (C) 2013 NTT corp.
  * Licensed under LGPL-3 (see LICENSE.txt)
  *
  * See README.md for usage and integration instructions.
@@ -87,16 +88,20 @@ WebUtil.getQueryVar = function(name, def
 
 // No days means only for this browser session
 WebUtil.createCookie = function(name,value,days) {
-    var date, expires;
+    var date, expires, secure;
     if (days) {
         date = new Date();
         date.setTime(date.getTime()+(days*24*60*60*1000));
         expires = "; expires="+date.toGMTString();
-    }
-    else {
+    } else {
         expires = "";
     }
-    document.cookie = name+"="+value+expires+"; path=/";
+    if (document.location.protocol === "https:") {
+        secure = "; secure";
+    } else {
+        secure = "";
+    }
+    document.cookie = name+"="+value+expires+"; path=/"+secure;
 };
 
 WebUtil.readCookie = function(name, defaultValue) {

Places

File novnc-0.4-secure-token-cookie.patch of Package novnc

Places