Bug#765068: w3m: Misleading Option String for Cookies
On Fri, 17 Oct 2014 21:49:27 +0200 Markus Hiereth wrote: [...] I had a look at the code with a debugger. The w3m option field 'Domains to avoid [wrong number of dots]' expects a list of domain names, separated by comma or space. The code in question is the following from cookie.c: 322 if (version == 0) { 323 /* [NETSCAPE] rule */ 324 unsigned int n = total_dot_number(domain->ptr, 325 domain->ptr + domain->length, 326 3); 327 if (n < 2) { 328 if (! check_avoid_wrong_number_of_dots_domain(domain)) { 329 COOKIE_ERROR(COO_ESPECIAL); 330 } 331 } If n < 2 the actual matching happens in file.c:domain_match(). Note that comments in the code talk about RFC 2109 and DRAFT 12 (RFC 2965?). I don't think the code was ever updated to adjust to newer RFCs. Also note that I'm not really familiar with RFCs related to cookies. > please note the discussion thread within the mailing list of the > English translation team: > > https://lists.debian.org/debian-l10n-english/2014/10/msg00018.html > > The results are > > - It is necessary to find out what domain information is subject to > w3m's checking: The domain of the server that sends a SET-COOKIE > request and / or the domain name specified in the cookie itself. The matching happens against the domain attribute that was given in the SET-COOKIE header (Domain=). > - It is necessary to have precisely described what matching is > performed with the domain attribute of a cookie. E.g. only the > number of dots in this string or all the conditions mentioned in the > RFC. As can be seen from the code snippet above this depends on the version of the cookie. The version depends of the header name, Set-Cookie: vs Set-Cookie2: (according to Wikipedia Set-Cookie2 is deprecated and not used anymore). The check will only be performed when the number of dots in the domain name is less then 2. AFAIK RFC 6265 made the leading dot in the domain attribute optional. This means, a nowadays valid domain attribute, e.g. github.com, will be checked. Whitelisting `.github.com' will a match `domain=github.com' while whitelisting `aol.com' will not match `domain=.aol.com' (.aol.com will not be checked in the first place because it has two dots. I changed the code to debug it). Note, a domain like `https://aol.co.uk' will never be checked as is always contains at least two dots.
Bug#765068: w3m: Misleading Option String for Cookies
Hello Tatsuya, (thanks for informing me that You have passed the German po-file to the resources for Jessie). Please note with references to: https://lists.debian.org/debian-l10n-english/2014/10/msg00021.html In the course of my translation work on the man-page of w3m, I made a couple of tests and learned to know the option -reqlog w3m -reqlog URL and found out ~/.w3m/request.log as the place for the logged data and what kind of data inside. They show the HTTP communication between w3m and the web server. The file features domain name information of both sides as well as the domain string within a cookie the server tries to set on the disk of the client PC; in other words, value of its domain attribute of the cookie. See the snippet below with a SET-COOKIE request by wikipedia's server and usage of a cookie by w3m. In addition, the file that stores cookies ~/.w3m/cookie is a plain text file. It is loaded into the browser upon start and saved before EXIT. I think with this technical background information, it should be possible to unravel what domain information is subject to validation and what are in fact the criteria applied in this validation. I would appreciate if there was somebody who designs and performs the necessary tests, The findings would be valuable to improve the w3m's user documentation. Regards Markus - GET / HTTP/1.0 User-Agent: w3m/0.5.3+cvs-1.1055 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, video/*, message/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: de.wikipedia.org HTTP/1.1 301 Moved Permanently Server: Apache X-Content-Type-Options: nosniff Cache-control: s-maxage=1200, must-revalidate, max-age=0 Last-Modified: Sun, 19 Oct 2014 18:23:54 GMT Location: http://de.wikipedia.org/wiki/Wikipedia:Hauptseite Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,X-Use-HHVM X-Varnish: 115743251, 3889558698 3889556238, 2750104885 2749402641 Via: 1.1 varnish, 1.1 varnish, 1.1 varnish Content-Length: 20 Accept-Ranges: bytes Date: Sun, 19 Oct 2014 18:34:39 GMT Age: 645 Connection: close X-Cache: cp1055 miss (0), amssq48 hit (25), amssq48 frontend hit (172) X-Analytics: php=zend Set-Cookie: GeoIP=DE:Schwabhausen:48.4000:11.3500:v4; Path=/; Domain=.wikipedia.org GET /wiki/Wikipedia:Hauptseite HTTP/1.0 User-Agent: w3m/0.5.3+cvs-1.1055 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, video/*, message/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: de.wikipedia.org Referer: http://de.wikipedia.org/ Cookie: GeoIP=DE:Schwabhausen:48.4000:11.3500:v4 Cookie2: $Version=1 HTTP/1.1 200 OK Server: Apache X-Content-Type-Options: nosniff Content-language: de X-UA-Compatible: IE=Edge Last-Modified: Sun, 19 Oct 2014 10:13:34 GMT Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding,Cookie,X-Use-HHVM X-Varnish: 890659, 2301775781 2301775196, 2260380402 2231581926 Via: 1.1 varnish, 1.1 varnish, 1.1 varnish Content-Length: 14505 Accept-Ranges: bytes Date: Sun, 19 Oct 2014 18:34:40 GMT Age: 30065 Connection: close X-Cache: cp1053 miss (0), amssq46 hit (14), amssq49 frontend hit (11335) Cache-Control: private, s-maxage=0, max-age=0, must-revalidate X-Analytics: php=zend -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765068: w3m: Misleading Option String for Cookies
On October 15, 2014 at 6:49PM +0900, tats (at debian.org) wrote: I'd like to use the Domains to ... style like other options. Instead, the English messages of the other options should be improved. If you make a patch to correct the English messages, I'll review it for merging. Thanks, -- Tatsuya Kinoshita pgpYelhgDk6M6.pgp Description: PGP signature
Bug#765068: w3m: Misleading Option String for Cookies
Package: w3m Version: 0.5.3-8 Followup-For: Bug #765068 Hello Tatsuya, please note the discussion thread within the mailing list of the English translation team: https://lists.debian.org/debian-l10n-english/2014/10/msg00018.html The results are - It is necessary to find out what domain information is subject to w3m's checking: The domain of the server that sends a SET-COOKIE request and / or the domain name specified in the cookie itself. - It is necessary to have precisely described what matching is performed with the domain attribute of a cookie. E.g. only the number of dots in this string or all the conditions mentioned in the RFC. Afterwards, the respective description in the options panel and the respective paragraph in README.cookies shall be updated. Best regards Markus -- System Information: Debian Release: 7.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-486 Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages w3m depends on: ii libc62.13-38+deb7u2 ii libgc1c2 1:7.1-9.1 ii libgpm2 1.20.4-6 ii libssl1.0.0 1.0.1e-2+deb7u11 ii libtinfo55.9-10 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages w3m recommends: ii ca-certificates 20130119 Versions of packages w3m suggests: ii man-db2.6.2-1 pn menu none pn migemonone ii mime-support 3.52-1 pn w3m-elnone ii w3m-img 0.5.3-8 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765068: w3m: Misleading Option String for Cookies
Hi Markus, On October 13, 2014 at 11:22AM +0200, markus.hiereth (at freenet.de) wrote: #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Domains to avoid [wrong number of dots]) Therefore, please consider the following msgid #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Do not reject cookies having the domain attributes) How about Domains to avoid error of [wrong number of dots]? I'd like to use the Domains to ... style like other options. Any ideas? Thanks, -- Tatsuya Kinoshita pgpaGMnAtEjzF.pgp Description: PGP signature
Bug#765068: w3m: Misleading Option String for Cookies
Control: notfound -1 iapws/1.0.5-2 Control: reopen -1 Thanks, -- Tatsuya Kinoshita pgpqHCO2tAUxC.pgp Description: PGP signature
Bug#765068: w3m: Misleading Option String for Cookies
Package: w3m Version: 0.5.3-8 Severity: normal Dear Tatsuya, as German translator and after some correspondance, I'm of the opinion that source file rc.c (still true for Version 0.5.3-17, Line 207) gives misleading information: #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Domains to avoid [wrong number of dots]) The msgid would be understood in a way round that the user shall type in a list of domains to be avoided, wheras README.cookies explains If the number of . in domain name is lesser than 2, it is assumed as invalid cookie (cf. RFC 2109 4.3.2), however, you can use cookie_avoid_wrong_number_of_dots to avoid this restriction. You can set this in Domains to avoid [wrong number of dots] on the Option Setting Panel. According to this paragraph, this options item makes w3m accept cookies that would be rejected otherwise. Therefore, please consider the following msgid #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Do not reject cookies having the domain attributes) The README.cookies would need beeing updated the same way If the number of dots in domain name is lesser than 2, it is assumed as invalid cookie (cf. RFC 2109 4.3.2). However, you can use a configuration parameter cookie_avoid_wrong_number_of_dots In the option panel, besides Do not reject cookies having the domain attributes, the parameter takes a list of strings for the domain attribute. Cookies matching these domains are accepted though they fail the check described above. Yours sincerely Markus -- System Information: Debian Release: 7.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-486 Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages w3m depends on: ii libc62.13-38+deb7u2 ii libgc1c2 1:7.1-9.1 ii libgpm2 1.20.4-6 ii libssl1.0.0 1.0.1e-2+deb7u11 ii libtinfo55.9-10 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages w3m recommends: ii ca-certificates 20130119 Versions of packages w3m suggests: ii man-db2.6.2-1 pn menu none pn migemonone ii mime-support 3.52-1 pn w3m-elnone ii w3m-img 0.5.3-8 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org