Allows cookies to have unrecognized attributes (see RFC 6265, Section 5.2). Fixes #866

2026-01-08 15:39:05 +00:00 · 2017-04-29 14:36:46 +00:00
parent 0b36ba5cea
commit d478199ada
2 changed files with 6 additions and 1 deletions
--- a/4
+++ b/4
@@ -24,6 +24,10 @@ o [NSE] The HTTP response object has a new member, fragment, which contains
  a partially received body (if any) when the overall request fails to
  complete. [nnposter]

+o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
+  are silently ignored (in accordance with RFC 6265). Unrecognized attributes
+  were previously causing HTTP requests with such cookies to fail. [nnposter]
+
 o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
  whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]

--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -318,7 +318,8 @@ local function validate_options(options)
              end
            elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then
              stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key)
-              bad = true
+              -- Ignore unrecognized attributes (per RFC 6265, Section 5.2)
+              -- bad = true
            end
          end
        end