Skip SameSite=Lax is cookie is not defined

ikus060 · Oct 21, 2021 · 42455b1 · 42455b1
1 parent 753533b
commit 42455b1
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/rdiffweb/controller/dispatch.py b/rdiffweb/controller/dispatch.py
@@ -124,7 +124,7 @@ def static(path):
         content_type = mimetypes.types_map.get(ext, None)  # @UndefinedVariable
 
     @cherrypy.expose
-    @cherrypy.config(**{'tools.authform.on': False})
+    @cherrypy.config(**{'tools.authform.on': False, 'tools.sessions.on': False})
     def handler(*args, **kwargs):
         if cherrypy.request.method not in ('GET', 'HEAD'):
             return None

diff --git a/rdiffweb/controller/filter_authentication.py b/rdiffweb/controller/filter_authentication.py
@@ -257,7 +257,8 @@ def _set_same_site(self):
         # https://github.com/cherrypy/cherrypy/issues/1767
         # Force SameSite to Lax
         cookie = cherrypy.serving.response.cookie.get('session_id', None)
-        cookie['samesite'] = 'Lax'
+        if cookie:
+            cookie['samesite'] = 'Lax'
 
     def run(self):
         if cherrypy.request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:

diff --git a/rdiffweb/controller/tests/test_check_links.py b/rdiffweb/controller/tests/test_check_links.py
@@ -42,9 +42,13 @@ def test_links(self):
         todo = OrderedDict()
         todo["/"] = "/"
         self.getPage("/")
+        # Store the original cookie since it get replace during execution.
+        self.assertIsNotNone(self.cookies)
+        cookies = self.cookies
         while todo:
             page, ref = todo.popitem(last=False)
             # Query page
+            self.cookies = cookies
             self.getPage(page)
             # Check status
             self.assertStatus('200 OK', "can't access page [%s] referenced by [%s]" % (page, ref))

diff --git a/rdiffweb/controller/tests/test_csrf.py b/rdiffweb/controller/tests/test_csrf.py
@@ -32,6 +32,14 @@ def test_samesite_lax(self):
         cookie = self.assertHeader('Set-Cookie')
         self.assertIn('SameSite=Lax', cookie)
 
+    def test_samesite_lax_without_session(self):
+        # Given not a client sending no cookie
+        self.cookies = None
+        # When a query is made to a static path (without session)
+        self.getPage('/static/blue.css')
+        # Then Set-Cookie is not defined.
+        self.assertNoHeader('Set-Cookie')
+
     def test_get_with_wrong_origin(self):
         # Given a GET request made to rdiffweb
         # When the request is made using a different origin