summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-06-05 15:49:53 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-06-05 15:49:53 +0200
commita421f38160599152cd409e4fabd434a224f78487 (patch)
tree17dc065d853bd84d86ab048f5642b39ce930dc51
parente0058147fa1d88eaafd57aac50eba31d2600cc96 (diff)
downloadUXP-a421f38160599152cd409e4fabd434a224f78487.tar
UXP-a421f38160599152cd409e4fabd434a224f78487.tar.gz
UXP-a421f38160599152cd409e4fabd434a224f78487.tar.lz
UXP-a421f38160599152cd409e4fabd434a224f78487.tar.xz
UXP-a421f38160599152cd409e4fabd434a224f78487.zip
Port our stricter cookie gating.
This addresses the critical section of #449.
-rw-r--r--netwerk/cookie/nsCookieService.cpp38
1 files changed, 25 insertions, 13 deletions
diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp
index cf1d91e2d..1c4e5e740 100644
--- a/netwerk/cookie/nsCookieService.cpp
+++ b/netwerk/cookie/nsCookieService.cpp
@@ -3348,12 +3348,16 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI,
return newCookie;
}
+ // Note: For now we allow 0x20 (Space) in cookie names.
+ // Some websites apparently use cookie names with spaces in them, and the RFC
+ // doesn't exactly specify what to do in that case, so it's better to keep
+ // wider compatibility.
const char illegalNameCharacters[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E,
- 0x1F, 0x00 };
+ 0x1F, /* 0x20, */ 0x00 };
if (cookieAttributes.name.FindCharInSet(illegalNameCharacters, 0) != -1) {
COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "invalid name character");
return newCookie;
@@ -3374,18 +3378,26 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI,
return newCookie;
}
- // reject cookie if value contains an RFC 6265 disallowed character - see
- // https://bugzilla.mozilla.org/show_bug.cgi?id=1191423
- // NOTE: this is not the full set of characters disallowed by 6265 - notably
- // 0x09, 0x20, 0x22, 0x2C, 0x5C, and 0x7F are missing from this list. This is
- // for parity with Chrome. This only applies to cookies set via the Set-Cookie
- // header, as document.cookie is defined to be UTF-8. Hooray for
- // symmetry!</sarcasm>
- const char illegalCharacters[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
- 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
- 0x1E, 0x1F, 0x3B, 0x00 };
+ // Reject cookie if value contains an RFC 6265 disallowed character.
+ // See RFC 6265 section 4.1.1
+ // XXX: For now we allow for web compatibility (see issue #357):
+ // 0x20 (Space)
+ // 0x22 (DQUOTE)
+ // 0x2C (Comma)
+ // 0x5C (Backslash)
+ //
+ // FIXME: Before removing DQUOTE from the exceptions list:
+ // DQUOTE *cookie-octet DQUOTE is permitted and would fail if just removed.
+ // This needs better checking for first and last character allowing
+ // DQUOTE but not in the actual value.
+ //
+ // This only applies to cookies set via the Set-Cookie header, since
+ // document.cookie is defined to be UTF-8.
+ const char illegalCharacters[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
+ 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+ 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, /* 0x20, 0x22, */
+ /* 0x2C, */ 0x3B, /* 0x5C, */ 0x7F, 0x00 };
if (aFromHttp && (cookieAttributes.value.FindCharInSet(illegalCharacters, 0) != -1)) {
COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "invalid value character");
return newCookie;