hosed cookie handling

Waldo Bastian bastian at kde.org
Sat Dec 21 17:35:08 GMT 2002 

On Saturday 21 December 2002 10:15, Dirk Mueller wrote:
> Hi,
>
> below a patch to make cookies work again in Konqueror.
>
> I still don't think implementing the broken netscape spec is a good idea
> (its not even implemented by IE, which means something!),

I'm pretty sure IE implements netscape cookies, maybe you mean that IE 
implements netscape cookies differently from the netscape spec wrt the path 
check?

> because it
> introdues a less strict cookie checking than all other browsers, including
> those which are vulnerable to cookie stealing attacks (IE). And I'm sick
> of doing another security update just because we introduce such a
> compatibility hack that no other browser does AFAIK.

We did not introduce a compatibility hack. I introduced stricter path checking 
for rfc compliant cookies.

> The patch corrects various errors in the matching code introduced by the
> last commit and gives it at least somewhat IE - compatible mode with
> mProtocolVersion == 0 (no idea what that means).

Cookies that follow the netscape spec have mProtocolVersion == 0
Cookies that follow the rfc spec have mProtocolVersion == 1

I don't understand what you mean with "IE - compatible" mode though, from the 
look of our patch it seems very incompatible with everything else.

> The old cookie spec says
> that the file extension doesn't matter, not more. so the path still has to
> end with "." (actually it should check for the last . in the filename but I
> guess that doesn't matter much).

I have no idea what you are talking about, afaik the netscape cookie spec does 
not mention the word "file extension" at all, at least not the version that I 
have. Could you quote the relevant section here?

> In addition, at least mailman registered the cookie with path ==
> "/mailman/", so the path check had an off-by-one.

The path check is ok for path == "/mailman", it requires an additional check 
to handle path == "/mailman/".

> I'm not sure if other
> sites do it differently, I guess we have to add some path normalisation in
> a sane place to catch the "trailing slash" problem.
>
> BTW, I've also seen the broken "TLD" check in ::extractDomains. It for
> example does not handle .name domains correctly, which have i.e.
> "dirk.mueller.name" as toplevel domain, not "mueller.name".

The toplevel domain is ".name". I assume that what you mean is that 
"mueller.name" should also be treated as a toplevel domain in order to 
prevent "dirk.mueller.name" from setting a cookie for "mueller.name" so that 
it doesn't end up with "karin.mueller.name".

Cheers,
Waldo
-- 
bastian at kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian at suse.com

More information about the kfm-devel mailing list