[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Wget expected behaviour on cookie mismatch
|
From: |
Darshit Shah |
|
Subject: |
Re: [Bug-wget] Wget expected behaviour on cookie mismatch |
|
Date: |
Wed, 13 Feb 2013 15:42:06 +0530 |
So in order to ignore that cookie, we must simply set it's
discard_requested to true. Something like this should work:
--- a/src/cookies.c
+++ b/src/cookies.c
@@ -673,9 +673,6 @@ cookie_handle_set_cookie (struct cookie_jar *jar,
if (!cookie->domain)
{
- copy_domain:
- /* If the domain was not provided, we use the one we're talking
- to, and set exact match. */
cookie->domain = xstrdup (host);
cookie->domain_exact = 1;
/* Set the port, but only if it's non-default. */
@@ -687,11 +684,12 @@ cookie_handle_set_cookie (struct cookie_jar *jar,
if (!check_domain_match (cookie->domain, host))
{
logprintf (LOG_NOTQUIET,
- _("Cookie coming from %s attempted to set domain to
%s\n"),
- quotearg_style (escape_quoting_style, host),
+ _("Cookie coming from %s"),
+ quotearg_style (escape_quoting_style, host));
+ logprintf (LOG_NOTQUIET,
+ _(" attempted to set domain to %s/n"),
quotearg_style (escape_quoting_style,
cookie->domain));
- xfree (cookie->domain);
- goto copy_domain;
+ cookie->discard_requested = true;
}
}
I tested this and it passes all tests successfully.
On Wed, Feb 13, 2013 at 3:15 PM, Tim Ruehsen <address@hidden> wrote:
> Am Wednesday 13 February 2013 schrieb Darshit Shah:
> > But RFC 6265 5.3.6 also states:
> > > If the canonicalized request-host does not domain-match the
> > >
> > > domain-attribute:
> > > Ignore the cookie entirely and abort these steps.
> > >
> > > Otherwise:
> > > Set the cookie's host-only-flag to false.
> > >
> > > Set the cookie's domain to the domain-attribute.
> > >
> > > Since wget does indeed set the cookie's domain as the domain attribute
> >
> > when it fails a domain-match, I don't think we should count it as a bug.
> > This also obsoletes Test #6 since now we do not need to test for that
> > erroneous cookie. Am I correct?
>
> No, you are not.
> Test #5 and #6 check if Wget behaves correctly in the case that "the
> canonicalized request-host does not domain-match the domain-attribute".
> Wget
> must ignore the cookie from test #5. But the test #6 shows, that Wget does
> not
> ignore the cookie. That is a current bug within Wget cookie handling and
> should be fixed.
>
> >
> > On Wed, Feb 13, 2013 at 2:49 PM, Tim Ruehsen <address@hidden> wrote:
> > > Hi Darshit,
> > >
> > > > From what I read and understood, if the header does not domain-match,
> > >
> > > wget
> > >
> > > > should ignore the cookie. AFAIK, wget does successfully ignore that
> > >
> > > cookie
> > >
> > > > currently.
> > >
> > > Yes, that is a current bug of wget.
> > >
> > > > However, I cannot understand the output of wget:
> > > > "Cookie coming from localhost attempted to set domain to localhost"
> > > > That is cookie->domain and host were a match and yet it failed the
> > > > check_domain_match(cookie->domain, host) call.
> > > > Is this a bug? I'll attempt getting and reading a stacktrace for the
> > > > same to get more information.
> > >
> > > Ángel already made it clear.
> > >
> > > > The sixth test in Test-cookies.px, is it meant to fail? My Perl is
> > > > terrible, and I've been trying to improve it. Does it mean that the
> > > > expected header for that cookie should NOT include "foo=bar"?
> > >
> > > Request #5 makes the server respond with a Cookie that does not match
> the
> > > request domain. This simulates a misbehaving server. Wget should ignore
> > > that
> > > cookie, which is tested in Request #6. "!Cookie" => qr|foo=bar|" means
> > > 'the Wget request must not contain a Cookie header containing foo=bar'
> > > (the server
> > > side checks that).
> > >
> > > Regards,
> > >
> > > Tim Rühsen
>
--
Thanking You,
Darshit Shah
Research Lead, Code Innovation
Kill Code Phobia.
B.E.(Hons.) Mechanical Engineering, '14. BITS-Pilani.
TEDxBITSHyderabad:
Website: http://tedxbitshyderabad.com
Facebook Page: https://www.facebook.com/TedxBitsHyderabad