diff options
| author | bartfab@chromium.org <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-01-28 20:57:07 +0000 |
|---|---|---|
| committer | bartfab@chromium.org <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-01-28 20:57:07 +0000 |
| commit | 5704592a656b3b6bd99b4714049ef831d6645fb0 (patch) | |
| tree | 44d2aa31c582cdc697aa2289f9145eda99380439 /google_apis/gaia/gaia_auth_fetcher.cc | |
| parent | 84c4ad84c8a05bc3e7423ca5f752a7581bad64bb (diff) | |
| download | chromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.zip chromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.tar.gz chromium_src-5704592a656b3b6bd99b4714049ef831d6645fb0.tar.bz2 | |
Use case-insensitive comparison in GAIA /programmatic_auth cookie check
The GaiaAuthFetcher verifies that the oauth_code cookie set by GAIA's
/programmatic_auth method is marked as "Secure" and "HttpOnly." As stated
in sections 5.2.5 and 5.2.6 of RFC 6265, the comparison should be
case-insensitive.
Although GAIA always uses the expected capitalizations "Secure" and
"HttpOnly," mock implementations, e.g. those using Python's Cookie
library, may not.
BUG=None
TEST=Manual
Review URL: https://codereview.chromium.org/148203004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@247498 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'google_apis/gaia/gaia_auth_fetcher.cc')
| -rw-r--r-- | google_apis/gaia/gaia_auth_fetcher.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc index f3e85146..96b698d3 100644 --- a/google_apis/gaia/gaia_auth_fetcher.cc +++ b/google_apis/gaia/gaia_auth_fetcher.cc @@ -4,7 +4,6 @@ #include "google_apis/gaia/gaia_auth_fetcher.h" -#include <algorithm> #include <string> #include <utility> #include <vector> @@ -33,7 +32,12 @@ const int kLoadFlagsIgnoreCookies = net::LOAD_DO_NOT_SEND_COOKIES | static bool CookiePartsContains(const std::vector<std::string>& parts, const char* part) { - return std::find(parts.begin(), parts.end(), part) != parts.end(); + for (std::vector<std::string>::const_iterator it = parts.begin(); + it != parts.end(); ++it) { + if (LowerCaseEqualsASCII(*it, part)) + return true; + } + return false; } bool ExtractOAuth2TokenPairResponse(base::DictionaryValue* dict, @@ -156,10 +160,10 @@ const char GaiaAuthFetcher::kOAuthHeaderFormat[] = "Authorization: OAuth %s"; const char GaiaAuthFetcher::kOAuth2BearerHeaderFormat[] = "Authorization: Bearer %s"; // static -const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "Secure"; +const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "secure"; // static const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartHttpOnly[] = - "HttpOnly"; + "httponly"; // static const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartCodePrefix[] = "oauth_code="; |