From a5c1161fb6bb2a24cebc104bc2a9b8def0a6e466 Mon Sep 17 00:00:00 2001
From: Peter Hartmann <peter.hartmann@trolltech.com>
Date: Thu, 30 Apr 2009 16:59:37 +0200
Subject: QNetworkCookieJar: do not allow cookies for domains like ".com"

the domain attribute in cookies must always contain one embedded dot,
according to RFC 2109 section 4.3.2

Reviewed-by: Thiago
Task-number: 251467
---
 src/network/access/qnetworkcookie.cpp                  |  7 +++++++
 tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp | 11 +++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/network/access/qnetworkcookie.cpp b/src/network/access/qnetworkcookie.cpp
index aaa5075..82c9344 100644
--- a/src/network/access/qnetworkcookie.cpp
+++ b/src/network/access/qnetworkcookie.cpp
@@ -1197,6 +1197,13 @@ bool QNetworkCookieJar::setCookiesFromUrl(const QList<QNetworkCookie> &cookieLis
                 || isParentDomain(defaultDomain, domain))) {
                     continue;           // not accepted
             }
+
+            // reject if domain is like ".com"
+            // (i.e., reject if domain does not contain embedded dots, see RFC 2109 section 4.3.2)
+            // this is just a rudimentary check and does not cover all cases
+            if (domain.lastIndexOf(QLatin1Char('.')) == 0)
+                continue;           // not accepted
+
         }
 
         QList<QNetworkCookie>::Iterator it = d->allCookies.begin(),
diff --git a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
index e87a3bf..7aa1d24 100644
--- a/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
+++ b/tests/auto/qnetworkcookiejar/tst_qnetworkcookiejar.cpp
@@ -171,6 +171,17 @@ void tst_QNetworkCookieJar::setCookiesFromUrl_data()
     result.clear();
     result += finalCookie;
     QTest::newRow("defaults-2") << preset << cookie << "http://www.foo.tld" << result << true;
+
+    // security test: do not accept cookie domains like ".com" nor ".com." (see RFC 2109 section 4.3.2)
+    result.clear();
+    preset.clear();
+    cookie.setDomain(".com");
+    QTest::newRow("rfc2109-4.3.2-ex3") << preset << cookie << "http://x.foo.com" << result << false;
+
+    result.clear();
+    preset.clear();
+    cookie.setDomain(".com.");
+    QTest::newRow("rfc2109-4.3.2-ex3-2") << preset << cookie << "http://x.foo.com" << result << false;
 }
 
 void tst_QNetworkCookieJar::setCookiesFromUrl()
-- 
cgit v0.12