Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Juno
novnc
novnc-0.4-secure-token-cookie.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File novnc-0.4-secure-token-cookie.patch of Package novnc
From ad941faddead705cd611921730054767a0b32dcd Mon Sep 17 00:00:00 2001 From: Takashi Natsume <natsume.takashi@lab.ntt.co.jp> Date: Mon, 28 Oct 2013 12:02:30 +0000 Subject: [PATCH] Adds support for secure attribute on token cookie (bnc#922233) https://bugzilla.suse.com/show_bug.cgi?id=922233 (CVE-2013-7436) This patch adds support for the secure attribute on token cookies (sent by nova-novncproxy). If the https is used to transfer the cookie, the secure attribute is set thus restricting server requestes to secure conections only. This should prevent man-in-the-middle attacks. --- include/webutil.js | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) Index: noVNC-0.4/include/webutil.js =================================================================== --- noVNC-0.4.orig/include/webutil.js +++ noVNC-0.4/include/webutil.js @@ -1,6 +1,7 @@ /* * noVNC: HTML5 VNC client * Copyright (C) 2012 Joel Martin + * Copyright (C) 2013 NTT corp. * Licensed under LGPL-3 (see LICENSE.txt) * * See README.md for usage and integration instructions. @@ -87,16 +88,20 @@ WebUtil.getQueryVar = function(name, def // No days means only for this browser session WebUtil.createCookie = function(name,value,days) { - var date, expires; + var date, expires, secure; if (days) { date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); expires = "; expires="+date.toGMTString(); - } - else { + } else { expires = ""; } - document.cookie = name+"="+value+expires+"; path=/"; + if (document.location.protocol === "https:") { + secure = "; secure"; + } else { + secure = ""; + } + document.cookie = name+"="+value+expires+"; path=/"+secure; }; WebUtil.readCookie = function(name, defaultValue) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor