Commit 53056ce224f1ad13af41ee8aa14e3da8cc398893
1 parent
cb9b3dd2
Exists in
master
and in
29 other branches
Make sure well-behaved plugin cookies always pass through
Showing
3 changed files
with
16 additions
and
7 deletions
Show diff stats
etc/noosfero/varnish-noosfero.vcl
| 1 | 1 | sub vcl_recv { |
| 2 | 2 | if (req.request == "GET" || req.request == "HEAD") { |
| 3 | 3 | if (req.http.Cookie) { |
| 4 | - # We only care about the "_noosfero_session.*" cookie, used for | |
| 5 | - # authentication. | |
| 6 | - if (req.http.Cookie !~ "_noosfero_session.*" ) { | |
| 4 | + # We only care about the "_noosfero_.*" cookies, used by Noosfero | |
| 5 | + if (req.http.Cookie !~ "_noosfero_.*" ) { | |
| 7 | 6 | # strip all cookies |
| 8 | 7 | unset req.http.Cookie; |
| 9 | 8 | } | ... | ... |
plugins/shopping_cart/controllers/shopping_cart_plugin_controller.rb
vendor/plugins/noosfero_caching/init.rb
| ... | ... | @@ -38,13 +38,23 @@ module NoosferoHttpCaching |
| 38 | 38 | def call(env) |
| 39 | 39 | status, headers, body = @app.call(env) |
| 40 | 40 | if headers['X-Noosfero-Auth'] == 'false' |
| 41 | - # FIXME do not do this if there is any plugin cookie set (e.g. | |
| 42 | - # _noosfero_session_shopping_cart) | |
| 43 | - headers.delete('Set-Cookie') | |
| 41 | + headers['Set-Cookie'] = remove_unwanted_cookies(headers['Set-Cookie']) | |
| 44 | 42 | end |
| 45 | 43 | headers.delete('X-Noosfero-Auth') |
| 46 | 44 | [status, headers, body] |
| 47 | 45 | end |
| 46 | + | |
| 47 | + protected | |
| 48 | + | |
| 49 | + # filter off all cookies except for plugin-provided ones that are | |
| 50 | + # path-specific (i.e path != "/"). | |
| 51 | + def remove_unwanted_cookies(cookie_list) | |
| 52 | + return nil if cookie_list.nil? | |
| 53 | + cookie_list.select do |c| | |
| 54 | + c =~ /^_noosfero_plugin_\w+=/ && c =~ /path=\/\w+/ | |
| 55 | + end | |
| 56 | + end | |
| 57 | + | |
| 48 | 58 | end |
| 49 | 59 | |
| 50 | 60 | end | ... | ... |