Verified Commit d7ac95a7 authored by Kevin Morris's avatar Kevin Morris
Browse files

fix(fastapi): limit cookie migration to whitelisted keys



Whitelisted keys: AURSID, AURTZ, AURLANG
Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent 65be8b8e
Pipeline #12626 passed with stage
in 7 minutes and 57 seconds
......@@ -104,9 +104,12 @@ def valid_ssh_pubkey(pk):
def migrate_cookies(request, response):
whitelist = {"AURSID", "AURTZ", "AURLANG"}
secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
for k, v in request.cookies.items():
response.set_cookie(k, v, secure=secure_cookies, httponly=True)
if k in whitelist:
response.set_cookie(k, v, secure=secure_cookies, httponly=True)
return add_samesite_fields(response, "strict")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment