bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Wget expected behaviour on cookie mismatch

From: Tim Ruehsen
Subject: Re: [Bug-wget] Wget expected behaviour on cookie mismatch
Date: Wed, 13 Feb 2013 10:45:51 +0100
User-agent: KMail/1.13.7 (Linux/3.2.0-4-amd64; KDE/4.8.4; x86_64; ; ) 
Am Wednesday 13 February 2013 schrieb Darshit Shah:
> But RFC 6265 5.3.6 also states:
> >  If the canonicalized request-host does not domain-match the
> >  
> >            domain-attribute:
> >               Ignore the cookie entirely and abort these steps.
> >            
> >            Otherwise:
> >               Set the cookie's host-only-flag to false.
> >               
> >               Set the cookie's domain to the domain-attribute.
> > 
> > Since wget does indeed set the cookie's domain as the domain attribute
> 
> when it fails a domain-match, I don't think we should count it as a bug.
> This also obsoletes Test #6 since now we do not need to test for that
> erroneous cookie. Am I correct?

No, you are not.
Test #5 and #6 check if Wget behaves correctly in the case that "the 
canonicalized request-host does not domain-match the domain-attribute". Wget 
must ignore the cookie from test #5. But the test #6 shows, that Wget does not 
ignore the cookie. That is a current bug within Wget cookie handling and 
should be fixed.

> 
> On Wed, Feb 13, 2013 at 2:49 PM, Tim Ruehsen <address@hidden> wrote:
> > Hi Darshit,
> > 
> > > From what I read and understood, if the header does not domain-match,
> > 
> > wget
> > 
> > > should ignore the cookie. AFAIK, wget does successfully ignore that
> > 
> > cookie
> > 
> > > currently.
> > 
> > Yes, that is a current bug of wget.
> > 
> > > However, I cannot understand the output of wget:
> > > "Cookie coming from localhost attempted to set domain to localhost"
> > > That is cookie->domain and host were a match and yet it failed the
> > > check_domain_match(cookie->domain, host)  call.
> > > Is this a bug? I'll attempt getting and reading a stacktrace for the
> > > same to get more information.
> > 
> > Ángel already made it clear.
> > 
> > > The sixth test in Test-cookies.px, is it meant to fail? My Perl is
> > > terrible, and I've been trying to improve it. Does it mean that the
> > > expected header for that cookie should NOT include "foo=bar"?
> > 
> > Request #5 makes the server respond with a Cookie that does not match the
> > request domain. This simulates a misbehaving server. Wget should ignore
> > that
> > cookie, which is tested in Request #6. "!Cookie" => qr|foo=bar|" means
> > 'the Wget request must not contain a Cookie header containing foo=bar'
> > (the server
> > side checks that).
> > 
> > Regards,
> > 
> >       Tim Rühsen
reply via email to
[Prev in Thread] Current Thread [Next in Thread]