summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Hartmann <peter.hartmann@trolltech.com>2009-04-30 14:59:37 (GMT)
committerPeter Hartmann <peter.hartmann@trolltech.com>2009-05-04 14:26:09 (GMT)
commita5c1161fb6bb2a24cebc104bc2a9b8def0a6e466 (patch)
tree2f38ef2b85d0c4d2a4436e9f9660cb1c3731e3b8
parent0820be4a16f8213ba02e2a2f9fe5df4d1ec6a818 (diff)
downloadQt-a5c1161fb6bb2a24cebc104bc2a9b8def0a6e466.zip
Qt-a5c1161fb6bb2a24cebc104bc2a9b8def0a6e466.tar.gz
Qt-a5c1161fb6bb2a24cebc104bc2a9b8def0a6e466.tar.bz2
QNetworkCookieJar: do not allow cookies for domains like ".com"
the domain attribute in cookies must always contain one embedded dot, according to RFC 2109 section 4.3.2 Reviewed-by: Thiago Task-number: 251467
-rw-r--r--src/network/access/qnetworkcookie.cpp7
-rw-r--r--tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp11
2 files changed, 18 insertions, 0 deletions
diff --git a/src/network/access/qnetworkcookie.cpp b/src/network/access/qnetworkcookie.cpp
index aaa5075..82c9344 100644
--- a/src/network/access/qnetworkcookie.cpp
+++ b/src/network/access/qnetworkcookie.cpp
@@ -1197,6 +1197,13 @@ bool QNetworkCookieJar::setCookiesFromUrl(const QList<QNetworkCookie> &cookieLis
|| isParentDomain(defaultDomain, domain))) {
continue; // not accepted
}
+
+ // reject if domain is like ".com"
+ // (i.e., reject if domain does not contain embedded dots, see RFC 2109 section 4.3.2)
+ // this is just a rudimentary check and does not cover all cases
+ if (domain.lastIndexOf(QLatin1Char('.')) == 0)
+ continue; // not accepted
+
}
QList<QNetworkCookie>::Iterator it = d->allCookies.begin(),
diff --git a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
index e87a3bf..7aa1d24 100644
--- a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
+++ b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
@@ -171,6 +171,17 @@ void tst_QNetworkCookieJar::setCookiesFromUrl_data()
result.clear();
result += finalCookie;
QTest::newRow("defaults-2") << preset << cookie << "http://www.foo.tld" << result << true;
+
+ // security test: do not accept cookie domains like ".com" nor ".com." (see RFC 2109 section 4.3.2)
+ result.clear();
+ preset.clear();
+ cookie.setDomain(".com");
+ QTest::newRow("rfc2109-4.3.2-ex3") << preset << cookie << "http://x.foo.com" << result << false;
+
+ result.clear();
+ preset.clear();
+ cookie.setDomain(".com.");
+ QTest::newRow("rfc2109-4.3.2-ex3-2") << preset << cookie << "http://x.foo.com" << result << false;
}
void tst_QNetworkCookieJar::setCookiesFromUrl()