Library http.lua does not correctly parse certain cases of Set-Cookie header.
Consider the following HTTP response:
Set-Cookie: c2=bbb; expires=Sun, 25-Oct-2015 04:35:13 GMT
The current code parses the headers as follows:
Patch http-parse-set-cookie.patch corrects the behavior, producing:
The patch does the following:
while true do ... end
The last two changes visually inflate the patch quite a lot but a smart diff can see through it.
Set-Cookie: c1=aaa; path=/bbb/ccc,ddd/eee
Note that this is a legitimate path. (See W3C and RFC 6265 for details.)
The current code parses the header as follows:
Patch http-parse-set-cookie-comma.patch corrects the behavior by removing special parsing of the comma from parse_set_cookie(). The parsing is not needed any more due to the function now processing only one header at a time.
Finally I am proposing a clean-up of parse_set_cookie() code, removing unnecessary checks like if pos <= #s and converting string functional calls to the object notation. See patch http-parse-set-cookie-cleanup.patch.
if pos <= #s
The patches are meant to be applied in this order:
@nnposter Would this work as an implementation of your patches? https://gist.github.com/dmiller-nmap/ab75df21dc43ee822bef
I see two modifications, compared to what I proposed:
I have no problem with the first one. It is cleaner this way. The reason why I did not do that is that in another patch earlier this year my late variable declaration was moved by the committing person to the beginning of the function. So I am a bit struggling to follow the coding culture of this project.
With respect to the second change, I swapped the function positions to address the following error:
nselib/http.lua:697: variable 'parse_set_cookie' is not declared
I am getting this error again with the latest modifications.
Great, I fixed the undeclared variable problem by declaring it local just above parse_header, then defining it later. I only moved it to minimize the diff and make the changes clearer. I'll apply this, then. Thanks for continuing to provide great feedback and excellent improvements!
Fix parsing of Set-Cookie headers. Closes #229