Fossil SCM

Merge the ben-security branch into the trunk.

drh 2011-05-23 15:11 trunk merge

Commit 474850cff598d76f4e23f7df1f2ea26e93478c45

Parent 3e0efc38279da75…

2 files changed +8 -4 +9

M src/cgi.c

+8 -4

		--- src/cgi.c
		+++ src/cgi.c
		@@ -191,20 +191,24 @@
191	191	const char zName, / Name of the cookie */
192	192	const char zValue, / Value of the cookie. Automatically escaped */
193	193	const char zPath, / Path cookie applies to. NULL means "/" */
194	194	int lifetime /* Expiration of the cookie in seconds from now */
195	195	){
	196	+ char *zSecure = "";
196	197	if( zPath==0 ) zPath = g.zTop;
	198	+ if( g.zBaseURL!=0 && strncmp(g.zBaseURL, "https:", 6)==0 ){
	199	+ zSecure = " secure;";
	200	+ }
197	201	if( lifetime>0 ){
198	202	lifetime += (int)time(0);
199	203	blob_appendf(&extraHeader,
200		- "Set-Cookie: %s=%t; Path=%s; expires=%z; Version=1\r\n",
201		- zName, zValue, zPath, cgi_rfc822_datestamp(lifetime));
	204	+ "Set-Cookie: %s=%t; Path=%s; expires=%z; HttpOnly;%s Version=1\r\n",
	205	+ zName, zValue, zPath, cgi_rfc822_datestamp(lifetime), zSecure);
202	206	}else{
203	207	blob_appendf(&extraHeader,
204		- "Set-Cookie: %s=%t; Path=%s; Version=1\r\n",
205		- zName, zValue, zPath);
	208	+ "Set-Cookie: %s=%t; Path=%s; HttpOnly;%s Version=1\r\n",
	209	+ zName, zValue, zPath, zSecure);
206	210	}
207	211	}
208	212
209	213	#if 0
210	214	/*
211	215

	--- src/cgi.c
	+++ src/cgi.c
	@@ -191,20 +191,24 @@
191	const char zName, / Name of the cookie */
192	const char zValue, / Value of the cookie. Automatically escaped */
193	const char zPath, / Path cookie applies to. NULL means "/" */
194	int lifetime /* Expiration of the cookie in seconds from now */
195	){

196	if( zPath==0 ) zPath = g.zTop;



197	if( lifetime>0 ){
198	lifetime += (int)time(0);
199	blob_appendf(&extraHeader,
200	"Set-Cookie: %s=%t; Path=%s; expires=%z; Version=1\r\n",
201	zName, zValue, zPath, cgi_rfc822_datestamp(lifetime));
202	}else{
203	blob_appendf(&extraHeader,
204	"Set-Cookie: %s=%t; Path=%s; Version=1\r\n",
205	zName, zValue, zPath);
206	}
207	}
208
209	#if 0
210	/*
211

	--- src/cgi.c
	+++ src/cgi.c
	@@ -191,20 +191,24 @@
191	const char zName, / Name of the cookie */
192	const char zValue, / Value of the cookie. Automatically escaped */
193	const char zPath, / Path cookie applies to. NULL means "/" */
194	int lifetime /* Expiration of the cookie in seconds from now */
195	){
196	char *zSecure = "";
197	if( zPath==0 ) zPath = g.zTop;
198	if( g.zBaseURL!=0 && strncmp(g.zBaseURL, "https:", 6)==0 ){
199	zSecure = " secure;";
200	}
201	if( lifetime>0 ){
202	lifetime += (int)time(0);
203	blob_appendf(&extraHeader,
204	"Set-Cookie: %s=%t; Path=%s; expires=%z; HttpOnly;%s Version=1\r\n",
205	zName, zValue, zPath, cgi_rfc822_datestamp(lifetime), zSecure);
206	}else{
207	blob_appendf(&extraHeader,
208	"Set-Cookie: %s=%t; Path=%s; HttpOnly;%s Version=1\r\n",
209	zName, zValue, zPath, zSecure);
210	}
211	}
212
213	#if 0
214	/*
215

M src/http_ssl.c

		--- src/http_ssl.c
		+++ src/http_ssl.c
		@@ -182,15 +182,24 @@
182	182	if( SSL_get_verify_result(ssl) != X509_V_OK ){
183	183	char desc, prompt;
184	184	char *warning = "";
185	185	Blob ans;
186	186	BIO *mem;
	187	+ unsigned char md[32];
	188	+ unsigned int mdLength = 31;
187	189
188	190	mem = BIO_new(BIO_s_mem());
189	191	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
190	192	BIO_puts(mem, "\n\nIssued By:\n\n");
191	193	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
	194	+ BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n ");
	195	+ if(X509_digest(cert, EVP_sha1(), md, &mdLength)){
	196	+ int j;
	197	+ for( j = 0; j < mdLength; ++j ) {
	198	+ BIO_printf(mem, " %02x", md[j]);
	199	+ }
	200	+ }
192	201	BIO_write(mem, "", 1); // null-terminate mem buffer
193	202	BIO_get_mem_data(mem, &desc);
194	203
195	204	if( hasSavedCertificate ){
196	205	warning = "WARNING: Certificate doesn't match the "
197	206

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -182,15 +182,24 @@
182	if( SSL_get_verify_result(ssl) != X509_V_OK ){
183	char desc, prompt;
184	char *warning = "";
185	Blob ans;
186	BIO *mem;


187
188	mem = BIO_new(BIO_s_mem());
189	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
190	BIO_puts(mem, "\n\nIssued By:\n\n");
191	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);







192	BIO_write(mem, "", 1); // null-terminate mem buffer
193	BIO_get_mem_data(mem, &desc);
194
195	if( hasSavedCertificate ){
196	warning = "WARNING: Certificate doesn't match the "
197

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -182,15 +182,24 @@
182	if( SSL_get_verify_result(ssl) != X509_V_OK ){
183	char desc, prompt;
184	char *warning = "";
185	Blob ans;
186	BIO *mem;
187	unsigned char md[32];
188	unsigned int mdLength = 31;
189
190	mem = BIO_new(BIO_s_mem());
191	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
192	BIO_puts(mem, "\n\nIssued By:\n\n");
193	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
194	BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n ");
195	if(X509_digest(cert, EVP_sha1(), md, &mdLength)){
196	int j;
197	for( j = 0; j < mdLength; ++j ) {
198	BIO_printf(mem, " %02x", md[j]);
199	}
200	}
201	BIO_write(mem, "", 1); // null-terminate mem buffer
202	BIO_get_mem_data(mem, &desc);
203
204	if( hasSavedCertificate ){
205	warning = "WARNING: Certificate doesn't match the "
206