[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.t
From: |
Claudio Calvelli |
Subject: |
[Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld |
Date: |
Sat, 26 Apr 2008 14:36:44 +0100 |
(I looked throught the mailing list archives but I can't see anything
about this, most of the discussion seems to be about cookie paths
rather than domains)
I noticed this trying to log in to https://launchpad.net/ with 2.8.7dev.8
(and older versions). The server tries to set a cookie, but lynx
discards it silently. The server sends:
Set-Cookie: ... Domain=.launchpad.net; ...
the trace shows:
/tmp/lynx2-8-7/src/LYCookie.c: 442: store_cookie: Rejecting domain
'.launchpad.net' for host 'launchpad.net'.
I understand that a host name 'domain.tld' can only set cookies for
itself (unlike 'www.domain.tld'), however shouldn't lynx ask the user
rather than discarding the cookies silently?
I made a patch to accept the invalid cookie in the special case of
domain.tld setting a cookie for .domain.tld - so I could log in to
the site. It doesn't tell the user that the cookie is invalid, it
just gives the normal "Allow? (Y/N/Always/neVer)" prompt. If people
think that this is acceptable, the patch is below.
C
--- src/LYCookie.c-orig 2008-04-26 10:08:09.000000000 +0100
+++ src/LYCookie.c 2008-04-26 11:05:15.000000000 +0100
@@ -226,6 +226,17 @@
if (!strcasecomp((A + diff), B))
return YES;
}
+
+ /*
+ * a site "domain.tld" wishing to provide cookies for ".domain.tld"
+ * will not be matched by the above; the problem happens for example
+ * when one tries to login to launchpad.net; the cookie spec is
+ * unclear about this special case
+ */
+ if (diff == -1) {
+ if (!strcasecomp(A, (B - diff)))
+ return YES;
+ }
}
return NO;
}
@@ -678,7 +689,9 @@
next = hl->next;
if ((co) && /* speed-up host_matches() and limit trace
output */
- (LYstrstr(hostname, co->domain) != NULL)) {
+ (LYstrstr(hostname, co->domain) != NULL ||
+ /* special case, see note in host_matches() */
+ (co->domain[0] == '.' && strcasecmp(hostname, co->domain+1) ==
0))) {
CTrace((tfp, "Checking cookie %p %s=%s\n",
hl,
(co->name ? co->name : "(no name)"),
- [Lynx-dev] Silently rejecting '.domain.tld' cookies from http://domain.tld,
Claudio Calvelli <=