Re: [NSE] http library cookie bug

[David Fifield <david () bamsoftware com>]

On Tue, Mar 15, 2011 at 09:18:04PM +0100, John Bond wrote:
> On 15 March 2011 20:33, Patrik Karlsson <patrik () cqure net> wrote:
> > Hi,
> >
> > I think I ran into a bug when testing some code that handles cookies.
> > As far as I can understand from RFC 2109 "Attributes (names) (attr) are case-insensitive."
> >
> > When the http-library parses the cookie, each name value pair is processed and a table field is dynamically created 
> > using the following code:
> > cookie[name] = value
> >
> > I'm testing against two different servers. One returns the cookie path value all lowercase and the second using a 
> > leading capital P.
> > I think it would make more sense if the cookie attributes were always stored using lowercase table field names.
> > So I propose the following patch:
> >
> > - cookie[name] = value
> > + cookie[name:lower()] = value
>
> Im not familiar with the specifics of the cookie rfc's however in http
> 1.1 paths should be considered case-sensitive[1] so i suspect it is
> the same for the path part of the http cookie

Patrik is talking about the string "Path" or "path", not the path
itself. Patrik, I think your change makes sense and you can do it. It
will be just like the way we handle header fields.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/