Nmap Development mailing list archives
Re: [NSE] http library cookie bug
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Tue, 15 Mar 2011 21:46:48 +0000
Just playing devils advocate here. What if the server expects cookie attributes to be in the same case it sent them in? On Tue, Mar 15, 2011 at 9:43 PM, Patrik Karlsson <patrik () cqure net> wrote:
On Mar 15, 2011, at 22:37 , David Fifield wrote:On Tue, Mar 15, 2011 at 09:18:04PM +0100, John Bond wrote:On 15 March 2011 20:33, Patrik Karlsson <patrik () cqure net> wrote:Hi, I think I ran into a bug when testing some code that handles cookies. As far as I can understand from RFC 2109 "Attributes (names) (attr) arecase-insensitive."When the http-library parses the cookie, each name value pair isprocessed and a table field is dynamically created using the following code:cookie[name] = value I'm testing against two different servers. One returns the cookie pathvalue all lowercase and the second using a leading capital P.I think it would make more sense if the cookie attributes were alwaysstored using lowercase table field names.So I propose the following patch: - cookie[name] = value + cookie[name:lower()] = valueIm not familiar with the specifics of the cookie rfc's however in http 1.1 paths should be considered case-sensitive[1] so i suspect it is the same for the path part of the http cookiePatrik is talking about the string "Path" or "path", not the path itself. Patrik, I think your change makes sense and you can do it. It will be just like the way we handle header fields.I've commited the change.David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev///Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)
- Re: [NSE] http library cookie bug David Fifield (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug Ryan Dewhurst (Mar 15)
- Re: [NSE] http library cookie bug Patrik Karlsson (Mar 15)
- Re: [NSE] http library cookie bug John Bond (Mar 15)