You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Function validate_options() in http.lua currently rejects cookies with unrecognized attributes. Per RFC 6265, Section 5.2 such attributes should be ignored:
Process the attribute-name and attribute-value according to the requirements in the following subsections. (Notice that attributes with unrecognized attribute-names are ignored.)
The current behavior has real-world impact. As an example, Digi devices set cookies with attribute version:
--- a/nselib/http.lua+++ b/nselib/http.lua@@ -302,7 +302,8 @@
end
elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then
stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key)
- bad = true+ -- Ignore unrecognized attributes (per RFC 6265, Section 5.2)+ -- bad = true
end
end
end
Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.
The text was updated successfully, but these errors were encountered:
Actually the changed code preserves unknown attributes in the cookie object. There is no reason to inspect rawheader.
What the changed code does is to allowcookies acquired from previous response to be passed as-is (in the options parameter) to the next request. (Before this change the next request would error out because of the unrecognized cookie attribute.)
Function validate_options() in
http.lua
currently rejects cookies with unrecognized attributes. Per RFC 6265, Section 5.2 such attributes should be ignored:The current behavior has real-world impact. As an example, Digi devices set cookies with attribute
version
:The following trivial patch remediates the issue:
Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.
The text was updated successfully, but these errors were encountered: