changeset 1517:773b44547931

cookies: be more robust in rejecting IP addr partial matches The code was already such that, even if we accepted 123.45 as a domain for host 1.2.123.45, it wouldn't be sent back to anyone. But it would be easy to make some small change later that would break that, so...
author corvid <corvid@lavabit.com>
date Wed, 13 Jan 2010 21:43:58 +0000
parents a40980e3eec7
children deccee022a42
files dpi/cookies.c
diffstat 1 files changed, 28 insertions(+), 25 deletions(-) [+]
line wrap: on
line diff
--- a/dpi/cookies.c	Wed Jan 13 20:28:16 2010 +0000
+++ b/dpi/cookies.c	Wed Jan 13 21:43:58 2010 +0000
@@ -793,6 +793,31 @@
 }
 
 /*
+ * Is the domain an IP address?
+ */
+static bool_t Cookies_domain_is_ip(const char *domain)
+{
+   uint_t len;
+
+   if (!domain)
+      return FALSE;
+
+   len = strlen(domain);
+
+   if (len == strspn(domain, "0123456789.")) {
+      MSG("an IPv4 address\n");
+      return TRUE;
+   }
+   if (*domain == '[' &&
+       (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) {
+      /* The precise format is shown in section 3.2.2 of rfc 3986 */
+      MSG("an IPv6 address\n");
+      return TRUE;
+   }
+   return FALSE;
+}
+
+/*
  * Check whether url_path path-matches cookie_path
  *
  * Note different user agents apparently vary in path-matching behaviour,
@@ -858,6 +883,9 @@
    if (!dStrcasecmp(A, B))
       return TRUE;
 
+   if (Cookies_domain_is_ip(B))
+      return FALSE;
+
    diff = strlen(A) - strlen(B);
 
    if (diff > 0) {
@@ -922,31 +950,6 @@
 }
 
 /*
- * Is the domain an IP address?
- */
-static bool_t Cookies_domain_is_ip(const char *domain)
-{
-   uint_t len;
-
-   if (!domain)
-      return FALSE;
-
-   len = strlen(domain);
-
-   if (len == strspn(domain, "0123456789.")) {
-      MSG("an IPv4 address\n");
-      return TRUE;
-   }
-   if (*domain == '[' &&
-       (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) {
-      /* The precise format is shown in section 3.2.2 of rfc 3986 */
-      MSG("an IPv6 address\n");
-      return TRUE;
-   }
-   return FALSE;
-}
-
-/*
  * Validate cookies domain against some security checks.
  */
 static bool_t Cookies_validate_domain(CookieData_t *cookie, char *host)