diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-06-05 15:49:53 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-06-05 15:49:53 +0200 |
commit | a421f38160599152cd409e4fabd434a224f78487 (patch) | |
tree | 17dc065d853bd84d86ab048f5642b39ce930dc51 | |
parent | e0058147fa1d88eaafd57aac50eba31d2600cc96 (diff) | |
download | UXP-a421f38160599152cd409e4fabd434a224f78487.tar UXP-a421f38160599152cd409e4fabd434a224f78487.tar.gz UXP-a421f38160599152cd409e4fabd434a224f78487.tar.lz UXP-a421f38160599152cd409e4fabd434a224f78487.tar.xz UXP-a421f38160599152cd409e4fabd434a224f78487.zip |
Port our stricter cookie gating.
This addresses the critical section of #449.
-rw-r--r-- | netwerk/cookie/nsCookieService.cpp | 38 |
1 files changed, 25 insertions, 13 deletions
diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp index cf1d91e2d..1c4e5e740 100644 --- a/netwerk/cookie/nsCookieService.cpp +++ b/netwerk/cookie/nsCookieService.cpp @@ -3348,12 +3348,16 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI, return newCookie; } + // Note: For now we allow 0x20 (Space) in cookie names. + // Some websites apparently use cookie names with spaces in them, and the RFC + // doesn't exactly specify what to do in that case, so it's better to keep + // wider compatibility. const char illegalNameCharacters[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, - 0x1F, 0x00 }; + 0x1F, /* 0x20, */ 0x00 }; if (cookieAttributes.name.FindCharInSet(illegalNameCharacters, 0) != -1) { COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "invalid name character"); return newCookie; @@ -3374,18 +3378,26 @@ nsCookieService::SetCookieInternal(nsIURI *aHostURI, return newCookie; } - // reject cookie if value contains an RFC 6265 disallowed character - see - // https://bugzilla.mozilla.org/show_bug.cgi?id=1191423 - // NOTE: this is not the full set of characters disallowed by 6265 - notably - // 0x09, 0x20, 0x22, 0x2C, 0x5C, and 0x7F are missing from this list. This is - // for parity with Chrome. This only applies to cookies set via the Set-Cookie - // header, as document.cookie is defined to be UTF-8. Hooray for - // symmetry!</sarcasm> - const char illegalCharacters[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, - 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, - 0x1E, 0x1F, 0x3B, 0x00 }; + // Reject cookie if value contains an RFC 6265 disallowed character. + // See RFC 6265 section 4.1.1 + // XXX: For now we allow for web compatibility (see issue #357): + // 0x20 (Space) + // 0x22 (DQUOTE) + // 0x2C (Comma) + // 0x5C (Backslash) + // + // FIXME: Before removing DQUOTE from the exceptions list: + // DQUOTE *cookie-octet DQUOTE is permitted and would fail if just removed. + // This needs better checking for first and last character allowing + // DQUOTE but not in the actual value. + // + // This only applies to cookies set via the Set-Cookie header, since + // document.cookie is defined to be UTF-8. + const char illegalCharacters[] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, + 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, + 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, /* 0x20, 0x22, */ + /* 0x2C, */ 0x3B, /* 0x5C, */ 0x7F, 0x00 }; if (aFromHttp && (cookieAttributes.value.FindCharInSet(illegalCharacters, 0) != -1)) { COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "invalid value character"); return newCookie; |