packages feed

http-client 0.7.6 → 0.7.7

raw patch · 4 files changed

+54/−2 lines, 4 filesdep +iproutePVP ok

version bump matches the API change (PVP)

Dependencies added: iproute

API changes (from Hackage documentation)

+ Network.HTTP.Client: isPotentiallyTrustworthyOrigin :: Bool -> ByteString -> Bool
+ Network.HTTP.Client.Internal: isPotentiallyTrustworthyOrigin :: Bool -> ByteString -> Bool

Files

ChangeLog.md view
@@ -1,5 +1,9 @@ # Changelog for http-client +## 0.7.7++* Allow secure cookies for localhost without HTTPS [#460](https://github.com/snoyberg/http-client/pull/460)+ ## 0.7.6  * Add `applyBearerAuth` function [#457](https://github.com/snoyberg/http-client/pull/457/files)
Network/HTTP/Client/Cookies.hs view
@@ -14,6 +14,7 @@     , removeExistingCookieFromCookieJar     , domainMatches     , isIpAddress+    , isPotentiallyTrustworthyOrigin     , defaultPath     ) where @@ -29,6 +30,8 @@ import qualified Network.PublicSuffixList.Lookup as PSL import Data.Text.Encoding (decodeUtf8With) import Data.Text.Encoding.Error (lenientDecode)+import qualified Data.IP as IP+import Text.Read (readMaybe)  import Network.HTTP.Client.Types as Req @@ -111,6 +114,37 @@ isPublicSuffix :: BS.ByteString -> Bool isPublicSuffix = PSL.isSuffix . decodeUtf8With lenientDecode +-- | Algorithm described in \"Secure Contexts\", Section 3.1, \"Is origin potentially trustworthy?\"+--+-- Note per RFC6265 section 5.4 user agent is free to define the meaning of "secure" protocol.+--+-- See:+-- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy+isPotentiallyTrustworthyOrigin :: Bool          -- ^ True if HTTPS+                               -> BS.ByteString -- ^ Host+                               -> Bool          -- ^ Whether or not the origin is potentially trustworthy+isPotentiallyTrustworthyOrigin secure host+  | secure = True             -- step 3+  | isLoopbackAddr4 = True    -- step 4, part 1+  | isLoopbackAddr6 = True    -- step 4, part 2+  | isLoopbackHostname = True -- step 5+  | otherwise = False+  where isLoopbackHostname =+               host == "localhost"+            || host == "localhost."+            || BS.isSuffixOf ".localhost" host+            || BS.isSuffixOf ".localhost." host+        isLoopbackAddr4 =+          fmap (take 1 . IP.fromIPv4) (readMaybe (S8.unpack host)) == Just [127]+        isLoopbackAddr6 =+          fmap IP.toHostAddress6 maddr6 == Just (0, 0, 0, 1)+        maddr6 = do+          (c1, rest1) <- S8.uncons host+          (rest2, c2) <- S8.unsnoc rest1+          case [c1, c2] of+            "[]" -> readMaybe (S8.unpack rest2)+            _ -> Nothing+ -- | This corresponds to the eviction algorithm described in Section 5.3 \"Storage Model\" evictExpiredCookies :: CookieJar  -- ^ Input cookie jar                     -> UTCTime    -- ^ Value that should be used as \"now\"@@ -143,7 +177,7 @@                 condition2 = pathMatches (Req.path request) (cookie_path cookie)                 condition3                   | not (cookie_secure_only cookie) = True-                  | otherwise = Req.secure request+                  | otherwise = isPotentiallyTrustworthyOrigin (Req.secure request) (Req.host request)                 condition4                   | not (cookie_http_only cookie) = True                   | otherwise = is_http_api
http-client.cabal view
@@ -1,5 +1,5 @@ name:                http-client-version:             0.7.6+version:             0.7.7 synopsis:            An HTTP client engine description:         Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/http-client>. homepage:            https://github.com/snoyberg/http-client@@ -58,6 +58,7 @@                      , mime-types                      , ghc-prim                      , stm               >= 2.3+                     , iproute           >= 1.7.5   if flag(network-uri)     build-depends: network >= 2.6, network-uri >= 2.6   else
test-nonet/Network/HTTP/Client/CookieSpec.hs view
@@ -61,3 +61,16 @@             when countsForEquiv $ cky `equivCookie` f cky `shouldBe` False        check `mapM_` modifications++    it "isPotentiallyTrustworthyOrigin" $ do+      isPotentiallyTrustworthyOrigin True "" `shouldBe` True+      let untrusty = ["example", "example.", "example.com", "foolocalhost", "1.1.1.1", "::1", "[::2]"]+          trusty =+            [ "127.0.0.1", "127.0.0.2", "127.127.127.127"+            , "[::1]", "[0:0:0:0:0:0:0:1]"+            , "localhost", "localhost."+            , "a.b.c.localhost", "a.b.c.localhost."+            ]+      or (map (isPotentiallyTrustworthyOrigin False) untrusty) `shouldBe` False+      and (map (isPotentiallyTrustworthyOrigin False) trusty) `shouldBe` True+