Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(173)

Unified Diff: net/cookies/canonical_cookie.cc

Issue 2861063003: Remove dangerous CanonicalCookie::Create method. (Closed)
Patch Set: Use creation_time for last_access_time as per Elly's suggestion. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cookies/canonical_cookie.h ('k') | net/cookies/canonical_cookie_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cookies/canonical_cookie.cc
diff --git a/net/cookies/canonical_cookie.cc b/net/cookies/canonical_cookie.cc
index 2b53e4ee497fa4ed7e3fa6652afd0e8221e53b16..2eb732b7d237964077ff129922dc82fd83acdbf1 100644
--- a/net/cookies/canonical_cookie.cc
+++ b/net/cookies/canonical_cookie.cc
@@ -74,36 +74,6 @@ bool GetCookieDomain(const GURL& url,
return cookie_util::GetCookieDomainWithString(url, domain_string, result);
}
-std::string CanonPathWithString(const GURL& url,
- const std::string& path_string) {
- // The RFC says the path should be a prefix of the current URL path.
- // However, Mozilla allows you to set any path for compatibility with
- // broken websites. We unfortunately will mimic this behavior. We try
- // to be generous and accept cookies with an invalid path attribute, and
- // default the path to something reasonable.
-
- // The path was supplied in the cookie, we'll take it.
- if (!path_string.empty() && path_string[0] == '/')
- return path_string;
-
- // The path was not supplied in the cookie or invalid, we will default
- // to the current URL path.
- // """Defaults to the path of the request URL that generated the
- // Set-Cookie response, up to, but not including, the
- // right-most /."""
- // How would this work for a cookie on /? We will include it then.
- const std::string& url_path = url.path();
-
- size_t idx = url_path.find_last_of('/');
-
- // The cookie path was invalid or a single '/'.
- if (idx == 0 || idx == std::string::npos)
- return std::string("/");
-
- // Return up to the rightmost '/'.
- return url_path.substr(0, idx);
-}
-
// Compares cookies using name, domain and path, so that "equivalent" cookies
// (per RFC 2965) are equal to each other.
int PartialCookieOrdering(const CanonicalCookie& a, const CanonicalCookie& b) {
@@ -130,12 +100,35 @@ CanonicalCookie::CanonicalCookie(const CanonicalCookie& other) = default;
CanonicalCookie::~CanonicalCookie() {}
// static
-std::string CanonicalCookie::CanonPath(const GURL& url,
- const ParsedCookie& pc) {
- std::string path_string;
- if (pc.HasPath())
- path_string = pc.Path();
- return CanonPathWithString(url, path_string);
+std::string CanonicalCookie::CanonPathWithString(
+ const GURL& url,
+ const std::string& path_string) {
+ // The RFC says the path should be a prefix of the current URL path.
+ // However, Mozilla allows you to set any path for compatibility with
+ // broken websites. We unfortunately will mimic this behavior. We try
+ // to be generous and accept cookies with an invalid path attribute, and
+ // default the path to something reasonable.
+
+ // The path was supplied in the cookie, we'll take it.
+ if (!path_string.empty() && path_string[0] == '/')
+ return path_string;
+
+ // The path was not supplied in the cookie or invalid, we will default
+ // to the current URL path.
+ // """Defaults to the path of the request URL that generated the
+ // Set-Cookie response, up to, but not including, the
+ // right-most /."""
+ // How would this work for a cookie on /? We will include it then.
+ const std::string& url_path = url.path();
+
+ size_t idx = url_path.find_last_of('/');
+
+ // The cookie path was invalid or a single '/'.
+ if (idx == 0 || idx == std::string::npos)
+ return std::string("/");
+
+ // Return up to the rightmost '/'.
+ return url_path.substr(0, idx);
}
// static
@@ -201,7 +194,9 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
return nullptr;
}
- std::string cookie_path = CanonicalCookie::CanonPath(url, parsed_cookie);
+ std::string cookie_path = CanonPathWithString(
+ url, parsed_cookie.HasPath() ? parsed_cookie.Path() : std::string());
+
Time server_time(creation_time);
if (options.has_server_time())
server_time = options.server_time();
@@ -229,62 +224,6 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
// static
std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
- const GURL& url,
- const std::string& name,
- const std::string& value,
- const std::string& domain,
- const std::string& path,
- const base::Time& creation,
- const base::Time& expiration,
- bool secure,
- bool http_only,
- CookieSameSite same_site,
- CookiePriority priority) {
- // Expect valid attribute tokens and values, as defined by the ParsedCookie
- // logic, otherwise don't create the cookie.
- std::string parsed_name = ParsedCookie::ParseTokenString(name);
- if (parsed_name != name)
- return nullptr;
- std::string parsed_value = ParsedCookie::ParseValueString(value);
- if (parsed_value != value)
- return nullptr;
-
- std::string parsed_domain = ParsedCookie::ParseValueString(domain);
- if (parsed_domain != domain)
- return nullptr;
- std::string cookie_domain;
- if (!cookie_util::GetCookieDomainWithString(url, parsed_domain,
- &cookie_domain)) {
- return nullptr;
- }
-
- if (secure && !url.SchemeIsCryptographic())
- return nullptr;
-
- std::string parsed_path = ParsedCookie::ParseValueString(path);
- if (parsed_path != path)
- return nullptr;
-
- std::string cookie_path = CanonPathWithString(url, parsed_path);
- // Expect that the path was either not specified (empty), or is valid.
- if (!parsed_path.empty() && cookie_path != parsed_path)
- return nullptr;
- // Canonicalize path again to make sure it escapes characters as needed.
- url::Component path_component(0, cookie_path.length());
- url::RawCanonOutputT<char> canon_path;
- url::Component canon_path_component;
- url::CanonicalizePath(cookie_path.data(), path_component, &canon_path,
- &canon_path_component);
- cookie_path = std::string(canon_path.data() + canon_path_component.begin,
- canon_path_component.len);
-
- return base::WrapUnique(new CanonicalCookie(
- parsed_name, parsed_value, cookie_domain, cookie_path, creation,
- expiration, creation, secure, http_only, same_site, priority));
-}
-
-// static
-std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
const std::string& name,
const std::string& value,
const std::string& domain,
@@ -296,6 +235,9 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
bool http_only,
CookieSameSite same_site,
CookiePriority priority) {
+ DCHECK(!name.empty());
+ DCHECK(!path.empty());
+
return base::WrapUnique(
new CanonicalCookie(name, value, domain, path, creation, expiration,
last_access, secure, http_only, same_site, priority));
« no previous file with comments | « net/cookies/canonical_cookie.h ('k') | net/cookies/canonical_cookie_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698