lynx-dev cookie bug (not in lynx)

[brian j. pardy]

From <URL:http://www.paradise.net.nz/~glineham/cookiemonster.html>:

    HTTP Cookie Bug Affecting Servers On Non-US Domains
    
    22 December 1998 NZDT
    
   If you are any sort of expert in the areas of HTTP, cookies, browsers,
   or general Internet security we urgently want to read any comments you
   might have. Email address@hidden now.
   
   Affected applications:
     * Internet Explorer 5 Beta (Win32)
     [...]
     * others extremely likely
       
   Unaffected applications:
     * Lynx 2.8rel.2 (Linux):
       asks the user to "allow setting of cookie with invalid domain
       .co.nz"

[...]
       
   The bug: A cookie may be set by a server on a domain name other than
   the American TLDs (.com, .net, .org, etc.), which is erroneously
   allowed to be returned to servers on other domains. For example,
   company.co.nz may set a cookie in a user's browser that is returned to
   all servers below .co.nz.
   
   This affects: Anyone using any of the browsers listed above (possibly
   more), who visit websites outside the US; Anyone operating a website
   or server on a non-US domain name.

   [...]

   The contents of this page and the scripts it links to are Copyright ©
   1998. Permission is granted to reproduce small quantities of the page
   for purposes of fair review.

A sample exploit description is linked on that page.

My concern here -- the patch in 2.8.1 that will accept cookies with
invalid domains *IF* ACCEPT_ALL_COOKIES is enabled. 

This is either a bug or a feature, depending on what ACCEPT_ALL_COOKIES is
defined to mean.

I suggest anyone interested in Lynx cookies take a look at this page.

-- 
America may be unique in being a country which has leapt
from barbarism to decadence without touching civilization.
                -- John O'Hara