Nmap Development mailing list archives
Re: [NSE] http library cookie bug
From: John Bond <john.r.bond () gmail com>
Date: Tue, 15 Mar 2011 21:18:04 +0100
On 15 March 2011 20:33, Patrik Karlsson <patrik () cqure net> wrote:
Hi, I think I ran into a bug when testing some code that handles cookies. As far as I can understand from RFC 2109 "Attributes (names) (attr) are case-insensitive." When the http-library parses the cookie, each name value pair is processed and a table field is dynamically created using the following code: cookie[name] = value I'm testing against two different servers. One returns the cookie path value all lowercase and the second using a leading capital P. I think it would make more sense if the cookie attributes were always stored using lowercase table field names. So I propose the following patch: - cookie[name] = value + cookie[name:lower()] = value
Im not familiar with the specifics of the cookie rfc's however in http 1.1 paths should be considered case-sensitive[1] so i suspect it is the same for the path part of the http cookie [1]http://www.faqs.org/rfcs/rfc2068.html --- RFC 2068 3.2.3 When comparing two URIs to decide if they match or not, a client SHOULD use a case-sensitive octet-by-octet comparison of the entire URIs, with these exceptions: o A port that is empty or not given is equivalent to the default port for that URI; o Comparisons of host names MUST be case-insensitive; o Comparisons of scheme names MUST be case-insensitive; o An empty abs_path is equivalent to an abs_path of "/". _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug David Fifield (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug Ryan Dewhurst (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)