summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbartfab@chromium.org <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-01-28 20:57:07 +0000
committerbartfab@chromium.org <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-01-28 20:57:07 +0000
commit5704592a656b3b6bd99b4714049ef831d6645fb0 (patch)
tree44d2aa31c582cdc697aa2289f9145eda99380439
parent84c4ad84c8a05bc3e7423ca5f752a7581bad64bb (diff)
downloadchromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.zip
chromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.tar.gz
chromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.tar.bz2
Use case-insensitive comparison in GAIA /programmatic_auth cookie check
The GaiaAuthFetcher verifies that the oauth_code cookie set by GAIA's /programmatic_auth method is marked as "Secure" and "HttpOnly." As stated in sections 5.2.5 and 5.2.6 of RFC 6265, the comparison should be case-insensitive. Although GAIA always uses the expected capitalizations "Secure" and "HttpOnly," mock implementations, e.g. those using Python's Cookie library, may not. BUG=None TEST=Manual Review URL: https://codereview.chromium.org/148203004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@247498 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--google_apis/gaia/gaia_auth_fetcher.cc12
1 files changed, 8 insertions, 4 deletions
diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc
index f3e85146..96b698d3 100644
--- a/google_apis/gaia/gaia_auth_fetcher.cc
+++ b/google_apis/gaia/gaia_auth_fetcher.cc
@@ -4,7 +4,6 @@
#include "google_apis/gaia/gaia_auth_fetcher.h"
-#include <algorithm>
#include <string>
#include <utility>
#include <vector>
@@ -33,7 +32,12 @@ const int kLoadFlagsIgnoreCookies = net::LOAD_DO_NOT_SEND_COOKIES |
static bool CookiePartsContains(const std::vector<std::string>& parts,
const char* part) {
- return std::find(parts.begin(), parts.end(), part) != parts.end();
+ for (std::vector<std::string>::const_iterator it = parts.begin();
+ it != parts.end(); ++it) {
+ if (LowerCaseEqualsASCII(*it, part))
+ return true;
+ }
+ return false;
}
bool ExtractOAuth2TokenPairResponse(base::DictionaryValue* dict,
@@ -156,10 +160,10 @@ const char GaiaAuthFetcher::kOAuthHeaderFormat[] = "Authorization: OAuth %s";
const char GaiaAuthFetcher::kOAuth2BearerHeaderFormat[] =
"Authorization: Bearer %s";
// static
-const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "Secure";
+const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "secure";
// static
const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartHttpOnly[] =
- "HttpOnly";
+ "httponly";
// static
const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartCodePrefix[] =
"oauth_code=";