Hello list,
The current version of Drakma contains a check of cookie domains'
validity. A (textual) domain is considered to be valid iff either it
contains a dot or is exactly "localhost". I'm sure there is a reason
for this (perhaps some part of a relevant RFC?), but I got bitten by
it in a real-world scenario. I was using Drakma for testing of a
Java EE-based web application at my company, accessible at the internal
address "http://someserver:9090/gui/app";. The relevant headers returned
are:
DRAKMA> (http-request "http://someserver:9090/gui/app";)
==>
"blah blah blah, some HTML"
200
((:X-POWERED-BY . "Servlet/2.5")
(:SERVER . "Sun Java System Application Server 9.1")
(:SET-COOKIE . "JSESSIONID=41165991cdf70add1d9e0a103cfc; Path=/gui")
(:CONTENT-TYPE . "text/html;charset=UTF-8")
(:DATE . "Tue, 15 Jul 2008 00:14:24 GMT") (:CONNECTION . "close"))
#<URI http://someserver:9090/gui/app>
#<FLEXI-STREAMS::FLEXI-UTF-8-IO-STREAM {BB78A59}>
T
"OK"
and if I pass a cookie jar to such HTTP-REQUEST, the returned cookie is
not included in the jar due to the checking machinery. FWIW, Firefox 3
does include it (and so the app works on Firefox 3, but fails the
Drakma tests).
I quickly hacked up a patch (attached) to Drakma which adds a special
variable *ALLOW-DOTLESS-COOKIE-DOMAINS-P*, which, when set to non-NIL,
causes the domains like SOMESERVER to be accepted.
Might it be useful to include in the official distribution?
Best regards,
--
Daniel Janus <[EMAIL PROTECTED]>
Quality Assurance Specialist, SENTIVISION
Mb: +48 501 180 396 | Ph: +48 22 640 0860
diff -urN drakma-0.11.5-orig/cookies.lisp drakma-0.11.5/cookies.lisp
--- drakma-0.11.5-orig/cookies.lisp 2008-01-14 02:57:01.000000000 +0100
+++ drakma-0.11.5/cookies.lisp 2008-07-14 18:09:28.000000000 +0200
@@ -84,6 +84,10 @@
name (and (plusp (length value)) value)
(and expires (render-cookie-date expires))
path domain securep http-only-p))))
+
+(defvar *allow-dotless-cookie-domains-p* nil
+ "When non-NIL, cookie domains containing no dots are considered
+valid.")
(defun normalize-cookie-domain (domain)
"Adds a dot at the beginning of the string DOMAIN unless there
@@ -93,8 +97,10 @@
(defun valid-cookie-domain-p (domain)
"Checks if the string DOMAIN contains enough dots to be
-acceptable."
- (or (string-equal domain "localhost")
+acceptable. If *ALLOW-DOTLESS-COOKIE-DOMAINS-P* is non-NIL,
+every domain name is considered acceptable."
+ (or *allow-dotless-cookie-domains-p*
+ (string-equal domain "localhost")
(> (count #\. (normalize-cookie-domain domain) :test #'char=) 1)))
(defun cookie-domain-matches (domain uri)
diff -urN drakma-0.11.5-orig/packages.lisp drakma-0.11.5/packages.lisp
--- drakma-0.11.5-orig/packages.lisp 2008-01-14 02:57:01.000000000 +0100
+++ drakma-0.11.5/packages.lisp 2008-07-14 18:11:46.000000000 +0200
@@ -33,7 +33,8 @@
(:use :cl :puri :flexi-streams :chunga)
;; the variable defined in the ASDF system definition
(:import-from :drakma-asd :*drakma-version-string*)
- (:export :*body-format-function*
+ (:export :*allow-dotless-cookie-domains-p*
+ :*body-format-function*
:*drakma-default-external-format*
:*header-stream*
:*ignore-unparseable-cookie-dates-p*
_______________________________________________
drakma-devel mailing list
drakma-devel@common-lisp.net
http://common-lisp.net/cgi-bin/mailman/listinfo/drakma-devel
