On 12/07/2012 06:19 PM, Simo Sorce wrote:
On Fri, 2012-12-07 at 16:21 -0500, John Dennis wrote:

I'll send a revised patch with the above mentioned fixes once someone
else puts their eyeballs on the RFC, or maybe we should just remove the
check for the time being.

I think that the algorithm fails to follow the RFC when you do:
           elif url_path.endswith('/'):
               request_path = url_path[:-1]

Point 4 of the RFC doesn't say the path needs to end with a / it says
you need to take everything before the last / wherever it is.

Ie if the patch is /ipa/ui/foo then the path for the cookie is /ipa/ui
Conversely if the path is /ipa/ui/foo/ the path is /ipa/ui/foo

Basically these rules threat the last 'leaf' component as not part of
the path and are meant to remove it.

Thank you, yes you're correct. The fundamental misconception is one I've stumbled on in the past as well as many others "what is the significance of a trailing slash in a URL path component". The trailing slash is quite significant but many of us get lulled into believing it's not because of the common HTTP server behavior of performing a redirect on a path without a trailing slash to a directory of the same name. The URL's "http://example.com/foo"; and "http://example.com/foo/"; are *not* the same URL. The path in a URL is considered a directory if and only if it ends with a trailing slash.

RFC 6265 in Section "The Path Attribute" clearly states the matching is performed on *directory* components. Without a trailing slash the leaf component is not a directory and hence must be stripped.

Rob, the above is the answer to your question (and mine). "/ipa" and "/ipa/" are *not* the same and "/ipa" will not match "/ipa" as a cookie path component because "/ipa" is not a directory, the directory is "/". FWIW the cookies path attribute is defined to be a directory path and does not require the trailing slash (or so I believe).

I'll send an updated patch shortly with the above fix. I also noticed that http_return_ok() omitted the validation for the HttpOnly and Secure flags I'll add that too.

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to