Commit c05c5163 authored by W-Mark Kubacki's avatar W-Mark Kubacki

browse: Don't leak Cookies to sessions in HTTP from HTTPS

parent 3513b6f2
......@@ -315,8 +315,8 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
listing.Sort = sortCookie.Value
}
} else { // Save the query value of 'sort' and 'order' as cookies.
http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: bc.PathScope, Secure: r.TLS != nil})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
}
if listing.Order == "" {
......@@ -325,7 +325,7 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
listing.Order = orderCookie.Value
}
} else {
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
}
listing.applySort()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment