Download as
Browse Code »

Commit 53056ce224f1ad13af41ee8aa14e3da8cc398893

Authored by Antonio Terceiro
1 parent cb9b3dd2
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Make sure well-behaved plugin cookies always pass through

Showing 3 changed files with 16 additions and 7 deletions   Show diff stats
etc/noosfero/varnish-noosfero.vcl
  Diff comments   View file @53056ce
1 sub vcl_recv { 1 sub vcl_recv {
2 if (req.request == "GET" || req.request == "HEAD") { 2 if (req.request == "GET" || req.request == "HEAD") {
3 if (req.http.Cookie) { 3 if (req.http.Cookie) {
4 - # We only care about the "_noosfero_session.*" cookie, used for  
5 - # authentication.  
6 - if (req.http.Cookie !~ "_noosfero_session.*" ) { 4 + # We only care about the "_noosfero_.*" cookies, used by Noosfero
  5 + if (req.http.Cookie !~ "_noosfero_.*" ) {
7 # strip all cookies 6 # strip all cookies
8 unset req.http.Cookie; 7 unset req.http.Cookie;
9 } 8 }
plugins/shopping_cart/controllers/shopping_cart_plugin_controller.rb
  Diff comments   View file @53056ce
@@ -290,7 +290,7 @@ class ShoppingCartPluginController < PublicController @@ -290,7 +290,7 @@ class ShoppingCartPluginController < PublicController
290 end 290 end
291 291
292 def cookie_key 292 def cookie_key
293 - :_noosfero_session_shopping_cart 293 + :_noosfero_plugin_shopping_cart
294 end 294 end
295 295
296 end 296 end
vendor/plugins/noosfero_caching/init.rb
  Diff comments   View file @53056ce
@@ -38,13 +38,23 @@ module NoosferoHttpCaching @@ -38,13 +38,23 @@ module NoosferoHttpCaching
38 def call(env) 38 def call(env)
39 status, headers, body = @app.call(env) 39 status, headers, body = @app.call(env)
40 if headers['X-Noosfero-Auth'] == 'false' 40 if headers['X-Noosfero-Auth'] == 'false'
41 - # FIXME do not do this if there is any plugin cookie set (e.g.  
42 - # _noosfero_session_shopping_cart)  
43 - headers.delete('Set-Cookie') 41 + headers['Set-Cookie'] = remove_unwanted_cookies(headers['Set-Cookie'])
44 end 42 end
45 headers.delete('X-Noosfero-Auth') 43 headers.delete('X-Noosfero-Auth')
46 [status, headers, body] 44 [status, headers, body]
47 end 45 end
  46 +
  47 + protected
  48 +
  49 + # filter off all cookies except for plugin-provided ones that are
  50 + # path-specific (i.e path != "/").
  51 + def remove_unwanted_cookies(cookie_list)
  52 + return nil if cookie_list.nil?
  53 + cookie_list.select do |c|
  54 + c =~ /^_noosfero_plugin_\w+=/ && c =~ /path=\/\w+/
  55 + end
  56 + end
  57 +
48 end 58 end
49 59
50 end 60 end