This makes Netsurf work, and also means that we're not being stricter
in what we accept than what we send!
/*
* This file is part of DisOrder
/*
* This file is part of DisOrder
- * Copyright (C) 2005, 2007 Richard Kettlewell
+ * Copyright (C) 2005, 2007, 2008 Richard Kettlewell
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
+/** @brief Match cookie separator characters
+ *
+ * This is a subset of the RFC2616 specials, and technically is in breach of
+ * the specification. However rejecting (in particular) slashes is
+ * unreasonably strict and has broken at least one (admittedly somewhat
+ * obscure) browser, so we're more forgiving.
+ */
+static int cookie_separator(int c) {
+ switch(c) {
+ case '(':
+ case ')':
+ case ',':
+ case ';':
+ case '=':
+ case ' ':
+ case '"':
+ case '\t':
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
/** @brief Parse a RFC2109 Cookie: header
* @param s Header field value
* @param cd Where to store result
/** @brief Parse a RFC2109 Cookie: header
* @param s Header field value
* @param cd Where to store result
s = skipwhite(s, 0);
continue;
}
s = skipwhite(s, 0);
continue;
}
- if(!(s = parsetoken(s, &n, mime_http_separator)))
+ if(!(s = parsetoken(s, &n, cookie_separator))) {
+ error(0, "parse_cookie: cannot parse attribute name");
+ if(*s++ != '=') {
+ error(0, "parse_cookie: did not find expected '='");
- if(!(s = mime_parse_word(s, &v, mime_http_separator)))
+ if(!(s = mime_parse_word(s, &v, cookie_separator))) {
+ error(0, "parse_cookie: cannot parse value for '%s'", n);
if(n[0] == '$') {
/* Some bit of meta-information */
if(!strcmp(n, "$Version"))
if(n[0] == '$') {
/* Some bit of meta-information */
if(!strcmp(n, "$Version"))
}
if(best_cookie != -1)
login_cookie = cd.cookies[best_cookie].value;
}
if(best_cookie != -1)
login_cookie = cd.cookies[best_cookie].value;
+ } else
+ error(0, "could not parse cookie field '%s'", cookie_env);
}
disorder_cgi_login(&s, &output);
disorder_cgi(&output, &s);
}
disorder_cgi_login(&s, &output);
disorder_cgi(&output, &s);
* cause the browser to expose the cookie to other CGI programs on the same
* web server. */
dynstr_append_string(d, ";Version=1;Path=");
* cause the browser to expose the cookie to other CGI programs on the same
* web server. */
dynstr_append_string(d, ";Version=1;Path=");
+ /* Formally we are supposed to quote the path, since it invariably has a
+ * slash in it. However Safari does not parse quoted paths correctly, so
+ * this won't work. Fortunately nothing else seems to care about proper
+ * quoting of paths, so in practice we get with it. (See also
+ * parse_cookie() where we are liberal about cookie paths on the way back
+ * in.) */
dynstr_append_string(d, u.path);
}
dynstr_terminate(d);
dynstr_append_string(d, u.path);
}
dynstr_terminate(d);