1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-06-14 23:32:27 +00:00
Go to file
Ian Jackson 9bb3415811 cookies: Properly handle cookie path= equal to request path
The code in cookies.c would arrange that c->path would always contain
a string ending in "/".  This may have been an attempt to make it
easier to do a proper subpath check in is_path_prefix.

Howver, the overall result is wrong in the case
   Set-Cookie: ....;path=/some/thing
and then later
   http://site.example.com/some/thing

c->path gets set to "/some/thing/" which doesn't pass the test in
is_path_prefix.

The precise required algorithm is described in RFC6265 5.1.4.  The
existing code fails to implement the first of the three bulleted
conditions at the end of 5.1.4.

The trailing "/" is actually not so helpful for this.  It is more
convenient to change is_path_prefix to do subpath matching directly:
we change it to insist that the supposed path prefix is a textual
prefix of the request path, *and* that this happens at a path segment
boundary: ie at '/' or end of string.[1]

Accordingly, we no longer add "/" to the cookie path.  When we strip
the final path element we strip the "/" too.  We still insert a "/" if
the path was empty.

[1] It is not 100% clear to me what "path" (URI_PATH) is but I think
it does not include any query parameters.  If I am wrong about that
then '?' should be tolerated too.

CC: Mark Wooding <mdw@distorted.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2020-05-09 14:33:45 +02:00
config Fix compatibility with Ruby >= 1.9 2018-03-09 17:34:30 -05:00
contrib Update watch file 2020-02-05 16:22:40 +01:00
doc document the -remote search(string) function 2020-05-03 16:31:44 +02:00
po [po] Updated Polish translation 2019-11-19 17:59:17 +01:00
src cookies: Properly handle cookie path= equal to request path 2020-05-09 14:33:45 +02:00
test [python3] big_file.cgi ported to Python3. Refs #38 2020-01-03 20:20:43 +01:00
Unicode Unicode/gen-case: Upgrade ISC licence to July 2007 version 2012-11-03 23:01:28 +02:00
.gitignore gitignore: Add *.o for git status compatibility 2007-08-28 14:57:35 +02:00
.mailmap Add .mailmap file to help git-shortlog 2007-04-15 22:08:11 +02:00
ABOUT-NLS Initial commit of the HEAD branch of the ELinks CVS repository, as of 2005-09-15 15:58:31 +02:00
AUTHORS AUTHORS: Kamil Dudka has made three more changes 2012-11-03 23:01:29 +02:00
autogen.sh Add -I config/m4 to aclocal. 2017-11-25 20:58:26 +01:00
BUGS Drop .or from elinks.or.cz. 2005-12-29 04:35:02 +00:00
ChangeLog Changed version. 2019-12-27 17:33:27 +01:00
configure.ac [python3] python3 for asciidoc 2020-01-04 20:12:34 +01:00
COPYING Rename configure.in to configure.ac 2017-11-22 17:01:48 -05:00
features.conf Added CONFIG_TERMINFO to features.conf 2017-11-27 20:37:09 +01:00
GOALS Some goals for dvelopment 2017-11-29 17:38:39 +01:00
INSTALL add autogen.sh to compiling instructions 2019-09-30 17:57:47 +02:00
Makefile Rename configure.in to configure.ac 2017-11-22 17:01:48 -05:00
Makefile.config.in [python3] python3 for asciidoc 2020-01-04 20:12:34 +01:00
Makefile.lib Revert "Compile with C++." 2019-04-21 12:27:40 +02:00
NEWS [NEWS] Info about 0.13.1 2020-01-31 17:48:44 +01:00
README [README] Some notes about felinks origin 2020-02-04 11:58:12 +01:00
README.md - README.md 2017-11-11 13:13:37 +01:00
SITES [sites] URL to github 2019-12-20 14:44:50 +01:00
THANKS THANKS: Remove link to HSTI webpage as the domain is for sale. 2006-11-08 20:53:01 +02:00
TODO Merge with http://elinks.cz/elinks.git#elinks-0.12 2007-07-09 16:03:06 +03:00

felinks

Fork of elinks