Re: [Bug-wget] Implementing draft to update RFC6265

[Kushagra Singh]

Hi,

I worked on the new test today, it is functional after applying the the
last patch by Tim suggested.

I am facing a problem here. I am trying to set a secure cookie over an
insecure connection (without applying my patch, so the test should fail).
The cookie, although being set (cross checked it in the log), is not being
saved in the file due to some reason I'm unable to figure out. I am sure
that its not being saved as I tried printing the file content in the test
(it shows up in the log). Is there any reason it should not be getting
saved?

PFA the test and modifications to expected_files hook.

Kushagra



On Wed, Feb 3, 2016 at 1:46 PM, Darshit Shah <address@hidden> wrote:

> That's no problem. Just mentioning it, so the thread stays alive and
> we don't entirely forget about it.
>
> On 3 February 2016 at 09:11, Kushagra Singh
> <address@hidden> wrote:
> > I'm out of town right now, I'll be able to get back to it in a couple of
> > days. Sorry for the delay!
> >
> > Regards,
> > Kushagra
> >
> >
> > On Wed, 3 Feb 2016 13:39 Darshit Shah <address@hidden> wrote:
> >>
> >> That's fine. The patch was good.
> >>
> >> Now waiting on Kushagra's tests and his copyright assignment to go
> through
> >>
> >> On 1 February 2016 at 21:13, Tim Rühsen <address@hidden> wrote:
> >> > Ups, just pushed your patch accidentially (thanks anyway).
> >> > I wanted to wait for Darshit to confirm it...
> >> >
> >> > Regards, Tim
> >> >
> >> > Am Sonntag, 31. Januar 2016, 17:40:12 schrieb Ander Juaristi:
> >> >> The test looks good to me, but I think I've spotted a bug _in the
> test
> >> >> engine_ where the 'RejectHeader' rule doesn't get enforced.
> >> >>
> >> >> You can strip the 'secure' parameter from this testcase and still it
> >> >> will
> >> >> pass. I've written a patch to fix this.
> >> >>
> >> >> I.e. this:
> >> >>
> >> >> ---request begin---
> >> >> GET /File2 HTTP/1.1
> >> >> User-Agent: Wget/1.16.3.168-be847 (linux-gnu)
> >> >> Accept: */*
> >> >> Accept-Encoding: identity
> >> >> Host: 127.0.0.1:44832
> >> >> Connection: Keep-Alive
> >> >> Cookie: sess-id=0213
> >> >>
> >> >> ---request end---
> >> >> HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016
> >> >> 17:33:20]
> >> >> "GET /File2 HTTP/1.1" 200 -
> >> >>
> >> >> ---response begin---
> >> >> HTTP/1.1 200 OK
> >> >> Server: BaseHTTP/0.6 Python/3.4.3+
> >> >> Date: Sun, 31 Jan 2016 16:33:20 GMT
> >> >> content-length: 29
> >> >> content-type: text/plain
> >> >>
> >> >> versus this:
> >> >>
> >> >> ---request begin---
> >> >> GET /File2 HTTP/1.1
> >> >> User-Agent: Wget/1.16.3.168-be847 (linux-gnu)
> >> >> Accept: */*
> >> >> Accept-Encoding: identity
> >> >> Host: 127.0.0.1:37251
> >> >> Connection: Keep-Alive
> >> >> Cookie: sess-id=0213
> >> >>
> >> >> ---request end---
> >> >> HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016
> >> >> 17:34:18]
> >> >> code 400, message Blacklisted Header Cookie received 127.0.0.1 - -
> >> >> [31/Jan/2016 17:34:18] "GET /File2 HTTP/1.1" 400 -
> >> >>
> >> >> ---response begin---
> >> >> HTTP/1.1 400 Blacklisted Header Cookie received
> >> >> Server: BaseHTTP/0.6 Python/3.4.3+
> >> >> Date: Sun, 31 Jan 2016 16:34:18 GMT
> >> >> Content-Type: text/html;charset=utf-8
> >> >> Connection: close
> >> >> Content-Length: 483
> >> >>
> >> >> ---response end---
> >> >> 400 Blacklisted Header Cookie received
> >> >> Header Cookie received
> >> >> URI content encoding = ‘utf-8’
> >> >> Disabling further reuse of socket 3.
> >> >> Closed fd 3
> >> >> 2016-01-31 17:34:18 ERROR 400: Blacklisted Header Cookie received.
> >> >>
> >> >> On 01/30/2016 09:31 PM, Kushagra Singh wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I'm a bit stuck while writing tests. How do I test the fact that a
> >> >> > secure
> >> >> > only cookie does not get saved over an insecure connection? Even if
> >> >> > the
> >> >> > cookie gets saved, it will not be transmitted over an insecure
> >> >> > connection
> >> >> > (cookie_matches_url() ensures that). So even though I can see in
> the
> >> >> > log
> >> >> > that the cookie is not saved, I can't figure out how exactly to
> test
> >> >> > that
> >> >> > in the test suite, since I cannot check using RejectHeader. Please
> >> >> > find
> >> >> > attached the test I have written.
> >> >> >
> >> >> > And one thing I noticed, Test-Proto.py tries to import HTTP and
> HTTPS
> >> >> > classes from " misc.constants", which is wrong. It should be
> imported
> >> >> > from
> >> >> > test.base_test right?
> >> >> >
> >> >> > Regards,
> >> >> > Kushagra
> >> >>
> >> >> Regards,
> >> >> - AJ
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Thanking You,
> >> Darshit Shah
> >>
> >
>
>
>
> --
> Thanking You,
> Darshit Shah
>

0001-Added-Test-reject-secure-cookies.patch
Description: Text Data