Nmap Development mailing list archives
Re: [NSE] http library cookie bug
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 15 Mar 2011 22:36:18 +0100
On Mar 15, 2011, at 21:18 , John Bond wrote:
On 15 March 2011 20:33, Patrik Karlsson <patrik () cqure net> wrote:Hi, I think I ran into a bug when testing some code that handles cookies. As far as I can understand from RFC 2109 "Attributes (names) (attr) are case-insensitive." When the http-library parses the cookie, each name value pair is processed and a table field is dynamically created using the following code: cookie[name] = value I'm testing against two different servers. One returns the cookie path value all lowercase and the second using a leading capital P. I think it would make more sense if the cookie attributes were always stored using lowercase table field names. So I propose the following patch: - cookie[name] = value + cookie[name:lower()] = valueIm not familiar with the specifics of the cookie rfc's however in http 1.1 paths should be considered case-sensitive[1] so i suspect it is the same for the path part of the http cookie
In this case, it's not actually the path value but the attribute name. So consider the following examples: Set-Cookie: A=B; path=/; domain=.foo.com Set-Cookie: A=B; Path=/; domain=.foo.com In the first example the path attribute would be accessible from the cookie table like this: cookie.path While in the second example, you would need to do the following: cookie.Path //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug David Fifield (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug Ryan Dewhurst (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)