From 5212755ea5d43b7dea77f808215c6aec86dd940e Mon Sep 17 00:00:00 2001 From: Carlos Garcia Campos Date: Fri, 27 Feb 2026 12:03:25 +0100 Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS request Closes #502 --- libsoup/soup-cookie-jar.c | 15 +++++++++-- tests/proxy-test.c | 52 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c index b2b78909..30fea161 100644 --- a/libsoup/soup-cookie-jar.c +++ b/libsoup/soup-cookie-jar.c @@ -11,6 +11,7 @@ #include +#include "soup-connection.h" #include "soup-cookie-jar.h" #include "soup-misc-private.h" #include "soup.h" @@ -686,6 +687,13 @@ process_set_cookie_header (SoupMessage *msg, gpointer user_data) g_slist_free (new_cookies); } +static gboolean +allow_cookies_for_request (SoupMessage *msg) +{ + /* Do not send cookies to a HTTP proxy for a HTTPS request */ + return msg->method != SOUP_METHOD_CONNECT || !soup_connection_is_tunnelled (soup_message_get_connection (msg)); +} + static void msg_starting_cb (SoupMessage *msg, gpointer feature) { @@ -694,8 +702,10 @@ msg_starting_cb (SoupMessage *msg, gpointer feature) cookies = soup_cookie_jar_get_cookies (jar, soup_message_get_uri (msg), TRUE); if (cookies) { - soup_message_headers_replace (msg->request_headers, - "Cookie", cookies); + if (allow_cookies_for_request (msg)) { + soup_message_headers_replace (msg->request_headers, + "Cookie", cookies); + } g_free (cookies); } else soup_message_headers_remove (msg->request_headers, "Cookie"); @@ -892,3 +902,4 @@ soup_cookie_jar_is_persistent (SoupCookieJar *jar) return SOUP_COOKIE_JAR_GET_CLASS (jar)->is_persistent (jar); } + diff --git a/tests/proxy-test.c b/tests/proxy-test.c index 1d68aa05..6b93847e 100644 --- a/tests/proxy-test.c +++ b/tests/proxy-test.c @@ -400,6 +400,56 @@ do_proxy_auth_cache_test (void) g_object_unref (cache); } +static void +connect_message_wrote_headers_cb (SoupMessage *msg, guint *counter) +{ + SoupMessageHeaders *hdrs; + + *counter += 1; + + hdrs = msg->request_headers; + if (msg->method == SOUP_METHOD_CONNECT) + g_assert_null (soup_message_headers_get_one (hdrs, "Cookie")); + else + g_assert_nonnull (soup_message_headers_get_one (hdrs, "Cookie")); +} + +static void +request_queued_cb (SoupSession *session, SoupMessage *msg, guint *counter) +{ + g_signal_connect (msg, "wrote-headers", G_CALLBACK (connect_message_wrote_headers_cb), counter); +} + +static void +do_proxy_secure_cookies_test (void) +{ + SoupSession *session; + SoupMessage *msg; + SoupCookieJar *jar; + GInputStream *stream; + guint counter = 0; + + SOUP_TEST_SKIP_IF_NO_APACHE; + SOUP_TEST_SKIP_IF_NO_TLS; + + session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, "proxy-resolver", proxy_resolvers[SIMPLE_PROXY], NULL); + g_signal_connect (session, "request-queued", G_CALLBACK (request_queued_cb), &counter); + + soup_session_add_feature_by_type (session, SOUP_TYPE_COOKIE_JAR); + jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); + + msg = soup_message_new (SOUP_METHOD_GET, HTTPS_SERVER); + soup_cookie_jar_set_cookie (jar, soup_message_get_uri (msg), "user=password; secure"); + stream = soup_session_send (session, msg, NULL, NULL); + soup_test_assert_message_status (msg, SOUP_STATUS_OK); + g_assert_cmpuint (counter, ==, 2); + + if (stream) + g_object_unref (stream); + + soup_test_session_abort_unref (session); +} + int main (int argc, char **argv) { @@ -434,6 +484,7 @@ main (int argc, char **argv) g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test); g_test_add_func ("/proxy/redirect", do_proxy_redirect_test); g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test); + g_test_add_func ("/proxy/secure-cookies", do_proxy_secure_cookies_test); ret = g_test_run (); @@ -445,3 +496,4 @@ main (int argc, char **argv) test_cleanup (); return ret; } + -- 2.54.0