mailing list archives
Re: [NSE] http library cookie bug
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 15 Mar 2011 22:36:18 +0100
On Mar 15, 2011, at 21:18 , John Bond wrote:
On 15 March 2011 20:33, Patrik Karlsson <patrik () cqure net> wrote:
I think I ran into a bug when testing some code that handles cookies.
As far as I can understand from RFC 2109 "Attributes (names) (attr) are case-insensitive."
When the http-library parses the cookie, each name value pair is processed and a table field is dynamically created
using the following code:
cookie[name] = value
I'm testing against two different servers. One returns the cookie path value all lowercase and the second using a
leading capital P.
I think it would make more sense if the cookie attributes were always stored using lowercase table field names.
So I propose the following patch:
- cookie[name] = value
+ cookie[name:lower()] = value
Im not familiar with the specifics of the cookie rfc's however in http
1.1 paths should be considered case-sensitive so i suspect it is
the same for the path part of the http cookie
In this case, it's not actually the path value but the attribute name.
So consider the following examples:
Set-Cookie: A=B; path=/; domain=.foo.com
Set-Cookie: A=B; Path=/; domain=.foo.com
In the first example the path attribute would be accessible from the cookie table like this: cookie.path
While in the second example, you would need to do the following: cookie.Path
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/