hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35225] New: - CookieSpecBase.domainMatch() leaks cookies to 3rd party domains
Date Sun, 05 Jun 2005 07:05:44 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35225>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35225

           Summary: CookieSpecBase.domainMatch() leaks cookies to 3rd party
                    domains
           Product: HttpClient
           Version: 3.0 RC2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Commons HttpClient
        AssignedTo: httpclient-dev@jakarta.apache.org
        ReportedBy: gojomo@archive.org


The change committed for #32833
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32833> is buggy; it doesn't
match browser behavior and in fact leaks cookies to third party domains. 

To see, try the following:

CookieSpecBase cspec = new CookieSpecBase();
Cookie cookie = new Cookie(".hotmail.com","foo","bar","/",Integer.MAX_VALUE,false);
cspec.match("iwanttostealcookiesfromhotmail.com",80,"/",false,cookie);

It will return true. Testing in Firefox1.0.4 and IE6 show no such similar
leakage for similar cases. (Indeed, it'd be a headline-making privacy bug if
they were to do this.)

Those browsers do, in my limited testing, behave as desired by the filer of
#32833: a cookie of domain value '.mydomain.com' will be returned to exact host
'mydomain.com' (. However, the fix that was suggested was overbroad.

I suggest instead for CookieSpecBase.domainMatch():

    public boolean domainMatch(final String host, final String domain) {
// BUGGY: matches a '.service.com' cookie to hosts like 'enemyofservice.com'
//        return host.endsWith(domain)
//            || (domain.startsWith(".") && host.endsWith(domain.substring(1)));
// BETTER: RFC2109, plus matches a '.service.com' cookie to exact host 'service.com'
        return host.equals(domain)
            || (domain.startsWith(".") 
                    && (host.endsWith(domain)
                            || host.equals(domain.substring(1))));
    }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message