From 5704592a656b3b6bd99b4714049ef831d6645fb0 Mon Sep 17 00:00:00 2001
From: "bartfab@chromium.org"
 <bartfab@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue, 28 Jan 2014 20:57:07 +0000
Subject: Use case-insensitive comparison in GAIA /programmatic_auth cookie
 check

The GaiaAuthFetcher verifies that the oauth_code cookie set by GAIA's
/programmatic_auth method is marked as "Secure" and "HttpOnly." As stated
in sections 5.2.5 and 5.2.6 of RFC 6265, the comparison should be
case-insensitive.

Although GAIA always uses the expected capitalizations "Secure" and
"HttpOnly," mock implementations, e.g. those using Python's Cookie
library, may not.

BUG=None
TEST=Manual

Review URL: https://codereview.chromium.org/148203004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@247498 0039d316-1c4b-4281-b951-d872f2087c98
---
 google_apis/gaia/gaia_auth_fetcher.cc | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'google_apis/gaia/gaia_auth_fetcher.cc')

diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc
index f3e85146..96b698d3 100644
--- a/google_apis/gaia/gaia_auth_fetcher.cc
+++ b/google_apis/gaia/gaia_auth_fetcher.cc
@@ -4,7 +4,6 @@
 
 #include "google_apis/gaia/gaia_auth_fetcher.h"
 
-#include <algorithm>
 #include <string>
 #include <utility>
 #include <vector>
@@ -33,7 +32,12 @@ const int kLoadFlagsIgnoreCookies = net::LOAD_DO_NOT_SEND_COOKIES |
 
 static bool CookiePartsContains(const std::vector<std::string>& parts,
                                 const char* part) {
-  return std::find(parts.begin(), parts.end(), part) != parts.end();
+  for (std::vector<std::string>::const_iterator it = parts.begin();
+       it != parts.end(); ++it) {
+    if (LowerCaseEqualsASCII(*it, part))
+      return true;
+  }
+  return false;
 }
 
 bool ExtractOAuth2TokenPairResponse(base::DictionaryValue* dict,
@@ -156,10 +160,10 @@ const char GaiaAuthFetcher::kOAuthHeaderFormat[] = "Authorization: OAuth %s";
 const char GaiaAuthFetcher::kOAuth2BearerHeaderFormat[] =
     "Authorization: Bearer %s";
 // static
-const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "Secure";
+const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartSecure[] = "secure";
 // static
 const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartHttpOnly[] =
-    "HttpOnly";
+    "httponly";
 // static
 const char GaiaAuthFetcher::kClientLoginToOAuth2CookiePartCodePrefix[] =
     "oauth_code=";
-- 
cgit v1.1