Commit 5d84b765 authored by Matthew Phillips's avatar Matthew Phillips Committed by ROOL
Browse files

Further correction for domain matching

The old-style cookie support stores the cookie domains with a leading full
stop (e.g. .riscosopen.org) but if a cookie was created with HTTP_AddCookie
you could get round this restriction.  A cookie with domain riscosop.org
created that way would have matched the host domain www.riscosopen.org.

This change fixes that. This code will need to be revisited to implement
RFC 6265 because of host-only matching and stripping the leading full stops,
but for the moment this removes a domain-matching bug in the old-style cookie
support.

Version 1.08. Tagged as 'HTTP-1_08'
parent db985446
/* (1.07)
/* (1.08)
*
* This file is automatically maintained by srccommit, do not edit manually.
*
*/
#define Module_MajorVersion_CMHG 1.07
#define Module_MajorVersion_CMHG 1.08
#define Module_MinorVersion_CMHG
#define Module_Date_CMHG 24 Jan 2022
#define Module_Date_CMHG 09 Feb 2022
#define Module_MajorVersion "1.07"
#define Module_Version 107
#define Module_MajorVersion "1.08"
#define Module_Version 108
#define Module_MinorVersion ""
#define Module_Date "24 Jan 2022"
#define Module_Date "09 Feb 2022"
#define Module_ApplicationDate "24-Jan-22"
#define Module_ApplicationDate "09-Feb-22"
#define Module_ComponentName "HTTP"
#define Module_FullVersion "1.07"
#define Module_HelpVersion "1.07 (24 Jan 2022)"
#define Module_LibraryVersionInfo "1:7"
#define Module_FullVersion "1.08"
#define Module_HelpVersion "1.08 (09 Feb 2022)"
#define Module_LibraryVersionInfo "1:8"
......@@ -621,12 +621,21 @@ static char *cookie_look_for_cookies(char *domain, char *path, Session *ses)
int match_len = strlen(cookie_domain->domain);
int cmp = strncmp(domain, cookie_domain->domain, match_len);
/* Check case where cookie domain matches domain with full stop added. */
if ( strlen(domain) == match_len-1 &&
if ( cmp && strlen(domain) == match_len-1 &&
cookie_domain->domain[match_len-1] == '.' &&
!strncmp(domain, cookie_domain->domain, match_len-1)
) {
cmp = 0;
}
/* If cookie domain does not end with full stop, check next
* character in domain is a full stop
*/
if ( !cmp && cookie_domain->domain[match_len-1] != '.' &&
domain[match_len] != '.' && domain[match_len] != '\0' ) {
cmp = 1;
}
/* Check the domain for this cookie domain; they are sorted; quit loop if we know
* that we've definitely not got any more matching domains to save time
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment