lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev Version 0 cookie suggestion & minimal patch

From: Risto Widenius
Subject: lynx-dev Version 0 cookie suggestion & minimal patch
Date: Tue, 27 Oct 1998 17:57:56 +0200 (EET) 
Lately I've been having trouble with a server that sends version 0
cookies. The problem arises when Lynx applies cookie sanity checks
from the new IETF draft to the old cookies (see section 4.3.2 of the
draft). Relevant transactionsa from a trace:

  Lynx:   GET /cgi-bin/SOLO0001 HTTP/1.0
  Server: Set-Cookie: SoloSessionMac=DwiLVnd8j1;
          Path=/cgi-bin/S9OswveScl
  Lynx:   Rejecting because '/cgi-bin/S9OswveScl'
          is not a prefix of '/cgi-bin'.

As I understand it, the original v0 Netscape cookie specification does
not require the client to reject incoming cookies at any
circumstances; rather to check their validity before sending requests.
The wording in the original is somewhat opaque, though.

  <url:http://www.netscape.com/newsref/std/cookie_spec.html>

Other than over-eagerly rejecting cookies, lynx reverts to the old
standard during the (short-lived) session.

The problem is indeed easy to work around, which I did with several
different experimental approaches:
  - Commented out the Path attribute checking in LYCookie.c. Bad
    solution for obvious reasons.
  - Changed store_cookie to check that the Request-URI and Path have
    any common prefix.
  - Better yet was not to apply sanity checks for v0 cookies at all,
    which I did until yesterday.

However, since the braindead problem server belongs to the largest
commercial bank in Finland (who else), it occurred to me that whatever
solution I find to the problem, it might interest other people as
well. So I did my homework and waded through literally hundreds of
messages in the lynx-dev archives starting from Jan 1997 when Fote
first introduced amk's cookie code to Lynx. I found out that people
had had similar problems from time to time. Fote had even issued an
experimental workaround patch (Dec 1997) which is long gone but easy
to reconstruct from the description. Furthermore, I found out that
LYAcceptAllCookies has since Aug 1998 been exploited to solve a
similar problem with cookie domain matching.

Would it be considered a security problem to relax the cookie sanity
checking for version 0 (old) cookies _only when_ the user has
accept_all_cookies set? As it is, Lynx already does accept cookies
with invalid Domain attribute when accept_all_cookies is set.

I suggest the following change to LYCookie.c (for brevity's sake the
patch doesn't fix indentation in the relevant passage of code). The
patch is against lynx2.8.1pre11. I believe this would solve some of
the recurrent cookie problems that have been unsolved in the past.


*** src/LYCookie.c.orig Mon Oct 26 13:00:13 1998
--- src/LYCookie.c      Tue Oct 27 13:26:25 1998
***************
*** 276,285 ****
--- 276,286 ----
      BOOL Replacement = FALSE;
  
      if (co == NULL)
        return;
  
+     if (co->version != 0 || !LYAcceptAllCookies) {
      /*
       *        Apply sanity checks.
       *
       *        Section 4.3.2, condition 1: The value for the Path attribute is
       *        not a prefix of the request-URI.
***************
*** 372,381 ****
--- 373,383 ----
                    return;
                }
            }
            FREE(msg);
        }
+     }
      }
  
      /*
       *        Ensure that the domain list exists.
       */
[END OF PATCH]

-- 
rw
reply via email to
[Prev in Thread] Current Thread [Next in Thread]