On Fri, 17 Oct 2014 21:49:27 +0200 Markus Hiereth <markus.hier...@freenet.de>
wrote:
[...]
I had a look at the code with a debugger.
The w3m option field 'Domains to avoid [wrong number of dots]' expects a
list of domain names, separated by comma or space.
The code in question is the following from cookie.c:
322 if (version == 0) {
323 /* [NETSCAPE] rule */
324 unsigned int n = total_dot_number(domain->ptr,
325 domain->ptr + domain->length,
326 3);
327 if (n < 2) {
328 if (! check_avoid_wrong_number_of_dots_domain(domain)) {
329 COOKIE_ERROR(COO_ESPECIAL);
330 }
331 }
If n < 2 the actual matching happens in file.c:domain_match().
Note that comments in the code talk about RFC 2109 and DRAFT 12 (RFC
2965?). I don't think the code was ever updated to adjust to newer RFCs.
Also note that I'm not really familiar with RFCs related to cookies.
> please note the discussion thread within the mailing list of the
> English translation team:
>
> https://lists.debian.org/debian-l10n-english/2014/10/msg00018.html
>
> The results are
>
> - It is necessary to find out what domain information is subject to
> w3m's checking: The domain of the server that sends a SET-COOKIE
> request and / or the domain name specified in the cookie itself.
The matching happens against the domain attribute that was given
in the SET-COOKIE header (Domain=).
> - It is necessary to have precisely described what matching is
> performed with the domain attribute of a cookie. E.g. only the
> number of dots in this string or all the conditions mentioned in the
> RFC.
As can be seen from the code snippet above this depends on the version
of the cookie. The version depends of the header name, Set-Cookie: vs
Set-Cookie2: (according to Wikipedia Set-Cookie2 is deprecated and not
used anymore).
The check will only be performed when the number of dots in the domain
name is less then 2. AFAIK RFC 6265 made the leading dot in the domain
attribute optional. This means, a nowadays valid domain attribute, e.g.
github.com, will be checked.
Whitelisting `.github.com' will a match `domain=github.com' while
whitelisting `aol.com' will not match `domain=.aol.com' (.aol.com will
not be checked in the first place because it has two dots. I changed the
code to debug it).
Note, a domain like `https://aol.co.uk' will never be checked as is
always contains at least two dots.
