diff options
| author | corvid <corvid@lavabit.com> | 2010-01-13 21:43:58 +0000 |
|---|---|---|
| committer | corvid <corvid@lavabit.com> | 2010-01-13 21:43:58 +0000 |
| commit | f8afde1435b04f0b4f48993572e892c2a2a65154 (patch) | |
| tree | 7e7882837d1f6316dcdef2066c24ce29a039429d | |
| parent | 6ccd839d091c6e05c68cae7e6a9303aa05412543 (diff) | |
cookies: be more robust in rejecting IP addr partial matches
The code was already such that, even if we accepted 123.45 as a domain for
host 1.2.123.45, it wouldn't be sent back to anyone. But it would be easy
to make some small change later that would break that, so...
| -rw-r--r-- | dpi/cookies.c | 53 |
1 files changed, 28 insertions, 25 deletions
diff --git a/dpi/cookies.c b/dpi/cookies.c index 709f3be3..82075020 100644 --- a/dpi/cookies.c +++ b/dpi/cookies.c @@ -793,6 +793,31 @@ static int Cookies_cmp(const void *a, const void *b) } /* + * Is the domain an IP address? + */ +static bool_t Cookies_domain_is_ip(const char *domain) +{ + uint_t len; + + if (!domain) + return FALSE; + + len = strlen(domain); + + if (len == strspn(domain, "0123456789.")) { + MSG("an IPv4 address\n"); + return TRUE; + } + if (*domain == '[' && + (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) { + /* The precise format is shown in section 3.2.2 of rfc 3986 */ + MSG("an IPv6 address\n"); + return TRUE; + } + return FALSE; +} + +/* * Check whether url_path path-matches cookie_path * * Note different user agents apparently vary in path-matching behaviour, @@ -858,6 +883,9 @@ static bool_t Cookies_domain_matches(char *A, char *B) if (!dStrcasecmp(A, B)) return TRUE; + if (Cookies_domain_is_ip(B)) + return FALSE; + diff = strlen(A) - strlen(B); if (diff > 0) { @@ -922,31 +950,6 @@ static uint_t Cookies_internal_dots_required(const char *host) } /* - * Is the domain an IP address? - */ -static bool_t Cookies_domain_is_ip(const char *domain) -{ - uint_t len; - - if (!domain) - return FALSE; - - len = strlen(domain); - - if (len == strspn(domain, "0123456789.")) { - MSG("an IPv4 address\n"); - return TRUE; - } - if (*domain == '[' && - (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) { - /* The precise format is shown in section 3.2.2 of rfc 3986 */ - MSG("an IPv6 address\n"); - return TRUE; - } - return FALSE; -} - -/* * Validate cookies domain against some security checks. */ static bool_t Cookies_validate_domain(CookieData_t *cookie, char *host) |