web content can set httponly cookie by overwriting a non-httponly one. b=387543, p=dveditz, r=dwitte, sr=mconnor.
authordwitte@stanford.edu
Tue, 10 Jul 2007 20:21:07 -0700
changeset 3314 e7bc041cde01e2d5cb64d45d0b8c1e5e000ef3e5
parent 3313 a67df69e95bbd15a414791f8d2820fa3f45f4c52
child 3315 756fa14d0699696bc3600b46a62a9a31149d1fd3
push idunknown
push userunknown
push dateunknown
reviewersdwitte, mconnor
bugs387543
milestone1.9a7pre
web content can set httponly cookie by overwriting a non-httponly one. b=387543, p=dveditz, r=dwitte, sr=mconnor.
netwerk/cookie/src/nsCookieService.cpp
--- a/netwerk/cookie/src/nsCookieService.cpp
+++ b/netwerk/cookie/src/nsCookieService.cpp
@@ -1302,16 +1302,22 @@ nsCookieService::SetCookieInternal(nsIUR
 // reached). also performs list maintenance by removing expired cookies.
 void
 nsCookieService::AddInternal(nsCookie   *aCookie,
                              PRInt64     aCurrentTime,
                              nsIURI     *aHostURI,
                              const char *aCookieHeader,
                              PRBool      aFromHttp)
 {
+  // if the new cookie is httponly, make sure we're not coming from script
+  if (!aFromHttp && aCookie->IsHttpOnly()) {
+    COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, aCookieHeader, "cookie is httponly; coming from script");
+    return;
+  }
+
   // start a transaction on the storage db, to optimize deletions/insertions.
   // transaction will automically commit on completion. if we already have a
   // transaction (e.g. from SetCookie*()), this will have no effect. 
   mozStorageTransaction transaction(mDBConn, PR_TRUE);
 
   nsListIter matchIter;
   const PRBool foundCookie =
     FindCookie(aCookie->Host(), aCookie->Name(), aCookie->Path(), matchIter);
@@ -1337,22 +1343,16 @@ nsCookieService::AddInternal(nsCookie   
 
   } else {
     // check if cookie has already expired
     if (aCookie->Expiry() <= aCurrentTime) {
       COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, aCookieHeader, "cookie has already expired");
       return;
     }
 
-    // if the new cookie is httponly, make sure we're not coming from script
-    if (!aFromHttp && aCookie->IsHttpOnly()) {
-      COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, aCookieHeader, "cookie is httponly; coming from script");
-      return;
-    }
-
     // check if we have to delete an old cookie.
     nsEnumerationData data(aCurrentTime, LL_MAXINT);
     if (CountCookiesFromHostInternal(aCookie->RawHost(), data) >= mMaxCookiesPerHost) {
       // remove the oldest cookie from host
       oldCookie = data.iter.current;
       RemoveCookieFromList(data.iter);
 
     } else if (mCookieCount >= mMaxNumberOfCookies) {