Re: [NSE] Tweaks for buildCookies() in nselib/http.lua

[George Chatzisofroniou <sophron () latthi com>]

Hi nnposter,

On Sat, Aug 10, 2013 at 09:19:25PM +0000, nnposter () users sourceforge net wrote:
> The following patch modifies interpretation of the cookie path in
> nselib/http.lua to make it more compliant with RFC 6265, Section 5.1.4.
> The current behavior is problematic in the following situations:
>
> * LUA regular expression meta-characters can get accidentally
>   interpreted, as opposed to being matched literally. False-positive
>   match:
>   - cookie path: "/foo"
>   - request path: "/fo.html"
>   
> * The matching is done against any location within a path, as opposed
>   to just the beginning. False-positive match:
>   - cookie path: "/bar"
>   - request path: "/foo/bar/baz"
>
> * The match end is not forced to be on a subdirectory boundary.
>   False-positive match:
>   - cookie path: "/foo"
>   - request path: "/foobar"

These changes look right. They were commited as revision 31735.

> In addition the patch allows use of path-less cookies. The assumption
> is that if a cookie does not have any path then the script wants them
> to be used. (If the original intent of the library has been the exact
> opposite, i.e. turning them into NOOPs, then it is trivial adjust the
> "if" condition in the patch accordingly.)

Correct me if i'm wrong but I don't think there is a reason for turning them
into NOOPs. I believe that *only* the 'name' and 'value' fields should be
required. I modified the documentation accordingly.
 
> The following patch trivially modifies the cookie header assembling
> logic to make it more compliant with RFC 6265, Section 4.2.1, which
> does not allow the trailing semicolon.

This also looks right. Applied as revision 31736.

Thanks,

-- 
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/