Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Unknown cookie attributes should be ignored #866
The current behavior has real-world impact. As an example, Digi devices set cookies with attribute
The following trivial patch remediates the issue:
--- a/nselib/http.lua +++ b/nselib/http.lua @@ -302,7 +302,8 @@ end elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key) - bad = true + -- Ignore unrecognized attributes (per RFC 6265, Section 5.2) + -- bad = true end end end
Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.
This comment has been minimized.
This comment has been minimized.Show comment Hide comment
Actually the changed code preserves unknown attributes in the cookie object. There is no reason to inspect
What the changed code does is to allow