diff options
| author | corvid <corvid@lavabit.com> | 2010-01-13 21:43:58 +0000 |
|---|---|---|
| committer | corvid <corvid@lavabit.com> | 2010-01-13 21:43:58 +0000 |
| commit | f8afde1435b04f0b4f48993572e892c2a2a65154 (patch) | |
| tree | 7e7882837d1f6316dcdef2066c24ce29a039429d /dpi | |
| parent | 6ccd839d091c6e05c68cae7e6a9303aa05412543 (diff) | |
cookies: be more robust in rejecting IP addr partial matches
The code was already such that, even if we accepted 123.45 as a domain for
host 1.2.123.45, it wouldn't be sent back to anyone. But it would be easy
to make some small change later that would break that, so...
Diffstat (limited to 'dpi')
| -rw-r--r-- | dpi/cookies.c | 53 |
1 files changed, 28 insertions, 25 deletions
diff --git a/dpi/cookies.c b/dpi/cookies.c index 709f3be3..82075020 100644 --- a/dpi/cookies.c +++ b/dpi/cookies.c @@ -793,6 +793,31 @@ static int Cookies_cmp(const void *a, const void *b) } /* + * Is the domain an IP address? + */ +static bool_t Cookies_domain_is_ip(const char *domain) +{ + uint_t len; + + if (!domain) + return FALSE; + + len = strlen(domain); + + if (len == strspn(domain, "0123456789.")) { + MSG("an IPv4 address\n"); + return TRUE; + } + if (*domain == '[' && + (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) { + /* The precise format is shown in section 3.2.2 of rfc 3986 */ + MSG("an IPv6 address\n"); + return TRUE; + } + return FALSE; +} + +/* * Check whether url_path path-matches cookie_path * * Note different user agents apparently vary in path-matching behaviour, @@ -858,6 +883,9 @@ static bool_t Cookies_domain_matches(char *A, char *B) if (!dStrcasecmp(A, B)) return TRUE; + if (Cookies_domain_is_ip(B)) + return FALSE; + diff = strlen(A) - strlen(B); if (diff > 0) { @@ -922,31 +950,6 @@ static uint_t Cookies_internal_dots_required(const char *host) } /* - * Is the domain an IP address? - */ -static bool_t Cookies_domain_is_ip(const char *domain) -{ - uint_t len; - - if (!domain) - return FALSE; - - len = strlen(domain); - - if (len == strspn(domain, "0123456789.")) { - MSG("an IPv4 address\n"); - return TRUE; - } - if (*domain == '[' && - (len == strspn(domain, "0123456789abcdefABCDEF:.[]"))) { - /* The precise format is shown in section 3.2.2 of rfc 3986 */ - MSG("an IPv6 address\n"); - return TRUE; - } - return FALSE; -} - -/* * Validate cookies domain against some security checks. */ static bool_t Cookies_validate_domain(CookieData_t *cookie, char *host) |