hosed cookie handling

Dawit A. adawit at kde.org
Sun Dec 22 03:03:39 GMT 2002 

> > The old cookie spec says
> > that the file extension doesn't matter, not more. so the path still has
> > to end with "." (actually it should check for the last . in the filename
> > but I guess that doesn't matter much).
>
> I have no idea what you are talking about, afaik the netscape cookie spec
> does not mention the word "file extension" at all, at least not the version
> that I have. Could you quote the relevant section here?

I am surpsied by this as well.  I have looked at all the three relevant specs 
and I did not see anything about this either.  Perhaps I missed it as well. I 
see no situation where checking for a '.' would be  relevant though...

> > In addition, at least mailman registered the cookie with path ==
> > "/mailman/", so the path check had an off-by-one.
>
> The path check is ok for path == "/mailman", it requires an additional
> check to handle path == "/mailman/".

Hmm... doesn't the startsWith check already handle that ?

> > I'm not sure if other
> > sites do it differently, I guess we have to add some path normalisation
> > in a sane place to catch the "trailing slash" problem.
> >
> > BTW, I've also seen the broken "TLD" check in ::extractDomains. It for
> > example does not handle .name domains correctly, which have i.e.
> > "dirk.mueller.name" as toplevel domain, not "mueller.name".
>
> The toplevel domain is ".name". I assume that what you mean is that
> "mueller.name" should also be treated as a toplevel domain in order to
> prevent "dirk.mueller.name" from setting a cookie for "mueller.name" so
> that it doesn't end up with "karin.mueller.name".

I think he means that and it can easily be addressed by treating the .name as 
we do IP addresses.  However, I am still not certain whether or not 
"foo.name" is allowed as a valid address.  In that case would someone else be 
able to register bar.foo.name.  I hope this is not the case since it would be 
impossible to properly deal with cookies for such cases, but strangest things 
have happened with domain name registars.  I mean the .xx TLD's 
(country-code) domains are a perfect example the mess that can happen.  I do 
not think even George's fix in ksslinfo deals with all the corner cases 
properly.  Does it George ?

Regards,
Dawit A.

More information about the kfm-devel mailing list