0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-01-13 22:51:08 -05:00

browse: Don't leak Cookies to sessions in HTTP from HTTPS

This commit is contained in:
W-Mark Kubacki 2016-04-16 21:37:06 +02:00
parent 3513b6f2f7
commit c05c5163e2

View file

@ -315,8 +315,8 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
listing.Sort = sortCookie.Value
}
} else { // Save the query value of 'sort' and 'order' as cookies.
http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: bc.PathScope, Secure: r.TLS != nil})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
}
if listing.Order == "" {
@ -325,7 +325,7 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
listing.Order = orderCookie.Value
}
} else {
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
}
listing.applySort()