New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unknown cookie attributes should be ignored #866

Closed
nnposter opened this Issue Apr 24, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@nnposter

nnposter commented Apr 24, 2017

Function validate_options() in http.lua currently rejects cookies with unrecognized attributes. Per RFC 6265, Section 5.2 such attributes should be ignored:

  1. Process the attribute-name and attribute-value according to the requirements in the following subsections. (Notice that attributes with unrecognized attribute-names are ignored.)

The current behavior has real-world impact. As an example, Digi devices set cookies with attribute version:

Set-Cookie: SID=c98fefa3ad659caa20b89582419bb14f; Max-Age=1200; Version=1

The following trivial patch remediates the issue:

--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -302,7 +302,8 @@
               end
             elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then
               stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key)
-              bad = true
+              -- Ignore unrecognized attributes (per RFC 6265, Section 5.2)
+              -- bad = true
             end
           end
         end

Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Apr 27, 2017

Sounds fine to me. The raw header is still available in the rawheader field, so no info is lost.

dmiller-nmap commented Apr 27, 2017

Sounds fine to me. The raw header is still available in the rawheader field, so no info is lost.

@nnposter

This comment has been minimized.

Show comment
Hide comment
@nnposter

nnposter Apr 27, 2017

Actually the changed code preserves unknown attributes in the cookie object. There is no reason to inspect rawheader.

What the changed code does is to allow cookies acquired from previous response to be passed as-is (in the options parameter) to the next request. (Before this change the next request would error out because of the unrecognized cookie attribute.)

nnposter commented Apr 27, 2017

Actually the changed code preserves unknown attributes in the cookie object. There is no reason to inspect rawheader.

What the changed code does is to allow cookies acquired from previous response to be passed as-is (in the options parameter) to the next request. (Before this change the next request would error out because of the unrecognized cookie attribute.)

@nmap-bot nmap-bot closed this in d478199 Apr 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment