зеркало из https://github.com/mozilla/pjs.git
bug 155114, cookie stealing based on path, r=mstoltz, sr=jst
This commit is contained in:
morse%netscape.com
Родитель
6d31746b07
Коммит
c5551cec2d
|
|
@ -666,6 +666,33 @@ cookie_IsInDomain(char* domain, char* host, int hostLength) {
|
|||
return PR_FALSE;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
cookie_pathOK(const char* cookiePath, const char* currentPath) {
|
||||
if (!cookiePath || !currentPath) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
// determine length of each, excluding trailing slash if present
|
||||
int cookiePathLen = PL_strlen(cookiePath);
|
||||
int currentPathLen = PL_strlen(currentPath);
|
||||
if (cookiePathLen && cookiePath[cookiePathLen-1] == '/') {
|
||||
cookiePathLen--;
|
||||
}
|
||||
if (currentPathLen && currentPath[currentPathLen-1] == '/') {
|
||||
currentPathLen--;
|
||||
}
|
||||
|
||||
// test for equality case
|
||||
if (currentPathLen == cookiePathLen &&
|
||||
!PL_strncmp(currentPath, cookiePath, currentPathLen)) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
// test for subpath case
|
||||
return (currentPathLen > cookiePathLen && (currentPath[cookiePathLen] == '/') &&
|
||||
!PL_strncmp(currentPath, cookiePath, cookiePathLen));
|
||||
}
|
||||
|
||||
/* returns PR_TRUE if authorization is required
|
||||
**
|
||||
**
|
||||
|
|
@ -739,8 +766,8 @@ COOKIE_GetCookie(char * address, nsIIOService* ioService) {
|
|||
continue;
|
||||
}
|
||||
|
||||
/* shorter strings always come last so there can be no ambiquity */
|
||||
if(cookie_s->path && !PL_strncmp(path.get(), cookie_s->path, PL_strlen(cookie_s->path))) {
|
||||
/* shorter path strings always come last so there can be no ambiquity */
|
||||
if(cookie_pathOK(cookie_s->path, path.get())) {
|
||||
|
||||
/* if the cookie is secure and the path isn't, dont send it */
|
||||
if (cookie_s->isSecure & !isSecure) {
|
||||
|
|
@ -1271,19 +1298,29 @@ cookie_SetCookieString(char * curURL, nsIPrompt *aPrompter, const char * setCook
|
|||
PR_Free(domain_from_header);
|
||||
}
|
||||
}
|
||||
|
||||
/* Strip down everything after the last slash to get the path,
|
||||
* ignoring slashes in the query string part.
|
||||
*/
|
||||
char * iter = PL_strchr(cur_path.get(), '?');
|
||||
if(iter) {
|
||||
*iter = '\0';
|
||||
}
|
||||
iter = PL_strrchr(cur_path.get(), '/');
|
||||
if(iter) {
|
||||
*iter = '\0';
|
||||
}
|
||||
|
||||
/* set path if none found in header, else verify that host has authority for indicated path */
|
||||
if(!path_from_header) {
|
||||
/* Strip down everything after the last slash to get the path,
|
||||
* ignoring slashes in the query string part.
|
||||
*/
|
||||
char * iter = PL_strchr(cur_path.get(), '?');
|
||||
if(iter) {
|
||||
*iter = '\0';
|
||||
}
|
||||
iter = PL_strrchr(cur_path.get(), '/');
|
||||
if(iter) {
|
||||
*iter = '\0';
|
||||
}
|
||||
path_from_header = nsCRT::strdup(cur_path.get());
|
||||
} else {
|
||||
if(!cookie_pathOK(path_from_header, cur_path.get())) {
|
||||
PR_FREEIF(path_from_header);
|
||||
PR_FREEIF(host_from_header);
|
||||
nsCRT::free(setCookieHeaderInternal);
|
||||
return;
|
||||
}
|
||||
}
|
||||
if(!host_from_header) {
|
||||
host_from_header = nsCRT::strdup(cur_host.get());
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче