Join GitHub today
Unknown cookie attributes should be ignored #866
The current behavior has real-world impact. As an example, Digi devices set cookies with attribute
The following trivial patch remediates the issue:
--- a/nselib/http.lua +++ b/nselib/http.lua @@ -302,7 +302,8 @@ end elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key) - bad = true + -- Ignore unrecognized attributes (per RFC 6265, Section 5.2) + -- bad = true end end end
Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.
Actually the changed code preserves unknown attributes in the cookie object. There is no reason to inspect
What the changed code does is to allow