On 09/11/12 16:27, Tim Ruehsen wrote: > While implementing cookies for Mget (https://github.com/rockdaboot/mget) > conforming to RFC 6265, I stubled over http://publicsuffix.org/ (Mozilla > Public Suffix List). > > Looking at Wget sources discovers, that there is just a very incomplete check > for public suffixes. That implies a very severe vulnerability to > "supercookie" > attacks when cookies are switched on (they are by default). > > Since Mget was ment as a Wget2 candidate (all or parts of the sources), > please > feel free to copy the needed sourcecode from it (see cookie.c/cookie.h and > tests/test.c for test routines). Right now, I just don't have the time to do > the work, but of course I will answer your questions. > > ShouldN't there be a warning within the docs / man pages. > What do you think ? > > Regards, Tim I see little reason for concern about supercookies on wget given that it is unlikely to use it for different "tasks" in the same invocation, and cookies are not automatically loaded/saved accross invocations. And for having a supercookie passed in the same run (eg. one website redirected to the other), they are probably cooperating domains, so the supercookie doesn't add much information. You would need to be using --load-cookies and --save-cookies to allow such supercookie spying. The worst case is probably if the cookie file was shared with a browser, or it was taken from a browser (with many cookies unrelated for what is intended) and passed to wget with --load-cookies and wget sent more cookies than expected .
Although not too important, it should be fixed, of course. The Mozilla Public Suffix List isn't very simple for reuse, its format is designed for how they use it internally.
