-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie secure and httpOnly for PLAY_ERRORS cookie lost on exception #1423
Comments
@Alexandermjos I think this is also related to my issue #1420 We had similar issues raised by vulnerability scans but only on error pages. I traced to a slightly different place though.
The way error responses are created seems quite strange in this PlayHandler.java. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi.
It looks like the ERROR cookie (PLAY_ERRORS) is missing the cookie configuration for "secure" and "httpOnly" when an exception occurs.
This was discovered by an automated security scan in a project I am working on.
I have debugged and traced the issue back to ValidationPlugin.java's clear() method:
play1/framework/src/play/data/validation/ValidationPlugin.java
Lines 189 to 201 in 8fad39b
which is called "onInvocationException()"
play1/framework/src/play/data/validation/ValidationPlugin.java
Lines 98 to 101 in 8fad39b
I think this can be fixed by adding these two lines here:
play1/framework/src/play/data/validation/ValidationPlugin.java
Line 195 in 8fad39b
cookie.secure = Scope.COOKIE_SECURE; cookie.httpOnly = Scope.SESSION_HTTPONLY;
Play Version (1.5.x / etc)
Reproduced on Play 1.5.2. Code involved in issue is unchanged from 1.5.2 to latest version
Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)
Windows 10
JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)
openjdk version "1.8.0_282"
OpenJDK Runtime Environment (build 1.8.0_282-b08)
OpenJDK 64-Bit Server VM (build 25.282-b08, mixed mode)
Library Dependencies
None
Expected Behavior
Please describe the expected behavior of the issue, starting from the first action.
Actual Behavior
"secure" and "httpOnly" flag is not set when an exception occurs.
Reproducible Test Case
Create a nullpointer in a form
The text was updated successfully, but these errors were encountered: