Merge pull request #11469 from adityahase/fix-pdf

fix(pdf): Restrict cookies to the host domain
4 lat temu · ebcc23591a
--- a/frappe/utils/pdf.py
+++ b/frappe/utils/pdf.py
@@ -52,6 +52,8 @@ def get_pdf(html, options=None, output=None):
 				output.appendPagesFromReader(reader)
 		else:
 			raise
 	finally:
 		cleanup(options)

 	if "password" in options:
 		password = options["password"]
@@ -110,8 +112,7 @@ def prepare_options(html, options):
 	options.update(html_options or {})

 	# cookies
 	if frappe.session and frappe.session.sid:
 		options['cookie'] = [('sid', '{0}'.format(frappe.session.sid))]
 	options.update(get_cookie_options())

 	# page size
 	if not options.get("page-size"):
@@ -120,6 +121,22 @@ def prepare_options(html, options):
 	return html, options


 def get_cookie_options():
 	options = {}
 	if frappe.session and frappe.session.sid:
 		# Use wkhtmltopdf's cookie-jar feature to set cookies and restrict them to host domain
 		cookiejar = "/tmp/{}.jar".format(frappe.generate_hash())

 		# Remove port from request.host
 		# https://werkzeug.palletsprojects.com/en/0.16.x/wrappers/#werkzeug.wrappers.BaseRequest.host
 		domain = frappe.local.request.host.split(":", 1)[0]
 		with open(cookiejar, "w") as f:
 			f.write("sid={}; Domain={};\n".format(frappe.session.sid, domain))

 		options['cookie-jar'] = cookiejar

 	return options

 def read_options_from_html(html):
 	options = {}
 	soup = BeautifulSoup(html, "html5lib")
@@ -184,11 +201,8 @@ def prepare_header_footer(soup):
 	return options


 def cleanup(fname, options):
 	if os.path.exists(fname):
 		os.remove(fname)

 	for key in ("header-html", "footer-html"):
 def cleanup(options):
 	for key in ("header-html", "footer-html", "cookie-jar"):
 		if options.get(key) and os.path.exists(options[key]):
 			os.remove(options[key])