On 12/07/2012 06:19 PM, Simo Sorce wrote:
On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote:
I'll send a revised patch with the above mentioned fixes once someone
else puts their eyeballs on the RFC, or maybe we should just remove the
check for the time being.
I think that the algorithm fails to follow the RFC when you do:
request_path = url_path[:-1]
Point 4 of the RFC doesn't say the path needs to end with a / it says
you need to take everything before the last / wherever it is.
Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui
Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo
Basically these rules threat the last 'leaf' component as not part of
the path and are meant to remove it.
Thank you, yes you're correct. The fundamental misconception is one I've
stumbled on in the past as well as many others "what is the significance
of a trailing slash in a URL path component". The trailing slash is
quite significant but many of us get lulled into believing it's not
because of the common HTTP server behavior of performing a redirect on a
path without a trailing slash to a directory of the same name. The URL's
"http://example.com/foo" and "http://example.com/foo/" are *not* the
same URL. The path in a URL is considered a directory if and only if it
ends with a trailing slash.
RFC 6265 in Section 18.104.22.168. "The Path Attribute" clearly states the
matching is performed on *directory* components. Without a trailing
slash the leaf component is not a directory and hence must be stripped.
Rob, the above is the answer to your question (and mine). "/ipa" and
"/ipa/" are *not* the same and "/ipa" will not match "/ipa" as a cookie
path component because "/ipa" is not a directory, the directory is "/".
FWIW the cookies path attribute is defined to be a directory path and
does not require the trailing slash (or so I believe).
I'll send an updated patch shortly with the above fix. I also noticed
that http_return_ok() omitted the validation for the HttpOnly and Secure
flags I'll add that too.
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
Freeipa-devel mailing list