Package: davfs2
Version: 1.5.2-1
Severity: normal
Dear Maintainer,
Davfs2 fails to accept/parse cookies and therefore Novell drives can't
be mounted, as Novell uses session cookies.
There are 2 problems in src/webdav.c: get_cookies()
1. Cookies are only accepted for status codes 2xx and 3xx. But novell
sends the cookie header in an "Authorization required" response with
status 4xx. According to rfc6265:
"User agents [...] MUST process Set-Cookie headers contained in other
responses (including responses with 400- and 500-level status codes)."
So I think this restriction can be removed.
2. Cookies are ignored, if their value ends with a `='. This is
regularly the case with Base64 encoded values.
Attached patch fixes both problems. It was created for 1.5.2, but it
also applies to 1.5.4.
Cheers,
harry
PS: I would have reported this upstream, but I'm not allowed to.
-- System Information:
Debian Release: jessie/sid
APT prefers vivid-updates
APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500,
'vivid'), (100, 'vivid-backports') Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-64-generic (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages davfs2 depends on:
ii adduser 3.113+nmu3ubuntu3
ii debconf [debconf-2.0] 1.5.55ubuntu2
ii libc6 2.21-0ubuntu4
ii libneon27 0.30.1-1
davfs2 recommends no packages.
davfs2 suggests no packages.
-- Configuration Files:
/etc/davfs2/davfs2.conf changed [not included]
/etc/davfs2/secrets [Errno 13] Permission denied: u'/etc/davfs2/secrets'
-- debconf information excluded
Index: davfs2-1.5.2/src/webdav.c
===================================================================
--- davfs2-1.5.2.orig/src/webdav.c
+++ davfs2-1.5.2/src/webdav.c
@@ -1728,14 +1728,10 @@ file_reader(void *userdata, const char *
When a cookie with the same name as an already stored cookie, but with
a different value is received, it's value is updated if necessary.
Only n_cookies cookies will be stored. If the server sends more
- different cookies these will be ignored.
- status must be of class 2XX or 3XX, otherwise the cookie is ignored. */
+ different cookies these will be ignored. */
static void
get_cookies(ne_request *req, void *userdata, const ne_status *status)
{
- if (status->klass != 2 && status->klass != 3)
- return;
-
const char *cookie_hdr = ne_get_response_header(req, "Set-Cookie");
if (!cookie_hdr)
return;
@@ -1758,14 +1754,13 @@ get_cookies(ne_request *req, void *userd
while (end > start && *(end - 1) == ' ')
end--;
- if ((start + 4) > end || *start == '=' || *(end - 1) == '=')
- continue;
-
char *es = strchr(start, '=');
if (!es)
continue;
size_t nl = es - start;
size_t vl = end - es - 1;
+ if (nl == 0 || vl == 0)
+ continue;
int i = 0;
for (i = 0; i < n_cookies; i++) {
