Pike Pike - User

Bug / Patch

classic Classic list List threaded Threaded
5 messages Options
Marc Dirix-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Bug / Patch

Marc Dirix-2
Hello,

I've found that a website sends cookies with a domain variable
containing a leading "." but stil expects the cookie to be set if the
requested uri is without a host-prefix.
For example "domain=.foo.example.com" but the uri requested is
"http://foo.example.com".

The following patch fixes this:
lib/modules/Protocols.pmod/HTTP.pmod/Session.pike

@@ -559,7 +560,8 @@
         }
       }
       else if ((!sizeof(c->domain)
-               || c->domain==host[sizeof(host)-sizeof(c->domain)..])
+               || c->domain==host[sizeof(host)-sizeof(c->domain)..]
+               || c->domain=="." + host[sizeof(host)-sizeof(c->domain)..])
            && (sizeof(c->path)<=1 || has_prefix(for_url->path, c->path))
            && (!c->secure || has_prefix(for_url->scheme, "https")))
         res+=({key+"="+c->data});

/Marc

Martin Stjernholm
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Bug / Patch

Martin Stjernholm
Looks a bit ad hoc to me. If some kind of hostname normalization should
take place there, is that leading dot the only thing that should be
done? What do the relevant rfc:s say?

Marc Dirix <[hidden email]> wrote:

> Hello,
>
> I've found that a website sends cookies with a domain variable
> containing a leading "." but stil expects the cookie to be set if the
> requested uri is without a host-prefix.
> For example "domain=.foo.example.com" but the uri requested is
> "http://foo.example.com".
>
> The following patch fixes this:
> lib/modules/Protocols.pmod/HTTP.pmod/Session.pike
>
> @@ -559,7 +560,8 @@
>          }
>        }
>        else if ((!sizeof(c->domain)
> -               || c->domain==host[sizeof(host)-sizeof(c->domain)..])
> +               || c->domain==host[sizeof(host)-sizeof(c->domain)..]
> +               || c->domain=="." + host[sizeof(host)-sizeof(c->domain)..])
>             && (sizeof(c->path)<=1 || has_prefix(for_url->path, c->path))
>             && (!c->secure || has_prefix(for_url->scheme, "https")))
>          res+=({key+"="+c->data});
>
> /Marc

Chris Angelico
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Bug / Patch

Chris Angelico
On Mon, Dec 5, 2011 at 8:46 AM, Martin Stjernholm <[hidden email]> wrote:
> Looks a bit ad hoc to me. If some kind of hostname normalization should
> take place there, is that leading dot the only thing that should be
> done? What do the relevant rfc:s say?

RFC 2109:

   Hosts names can be specified either as an IP address or a FQHN
   string.  Sometimes we compare one host name with another.  Host A's
   name domain-matches host B's if
[snip]
   * A is a FQDN string and has the form NB, where N is a non-empty name
     string, B has the form .B', and B' is a FQDN string.  (So, x.y.com
     domain-matches .y.com but not y.com.)

I think (not certain but I think) that the server in question is
violating the spec.

ChrisA

Marc Dirix
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Bug / Patch

Marc Dirix

> I think (not certain but I think) that the server in question is
> violating the spec.


Although that probably is true, all browsers I tried, (Opera, Firefox
and IE) send the cookie back.

Chris Angelico
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Bug / Patch

Chris Angelico
On Mon, Dec 5, 2011 at 6:30 PM, Marc Dirix <[hidden email]> wrote:
>
>> I think (not certain but I think) that the server in question is
>> violating the spec.
>
>
> Although that probably is true, all browsers I tried, (Opera, Firefox
> and IE) send the cookie back.

Sounds like it's worth following the de facto standard rather than de
jure, then.

ChrisA

Loading...
Powered by Nabble See how NAML generates this page