Bug#765068: w3m: Misleading Option String for Cookies

2023-08-09 Thread Rene Kita 
On Fri, 17 Oct 2014 21:49:27 +0200 Markus Hiereth  
wrote:
[...]

I had a look at the code with a debugger.

The w3m option field 'Domains to avoid [wrong number of dots]' expects a
list of domain names, separated by comma or space.

The code in question is the following from cookie.c:
322  if (version == 0) {
323  /* [NETSCAPE] rule */
324  unsigned int n = total_dot_number(domain->ptr,
325   domain->ptr + domain->length,
326   3);
327  if (n < 2) {
328  if (! check_avoid_wrong_number_of_dots_domain(domain)) {
329  COOKIE_ERROR(COO_ESPECIAL);
330  }
331  }

If n < 2 the actual matching happens in file.c:domain_match().

Note that comments in the code talk about RFC 2109 and DRAFT 12 (RFC
2965?). I don't think the code was ever updated to adjust to newer RFCs.
Also note that I'm not really familiar with RFCs related to cookies.

> please note the discussion thread within the mailing list of the
> English translation team:
> 
> https://lists.debian.org/debian-l10n-english/2014/10/msg00018.html
> 
> The results are
> 
> - It is necessary to find out what domain information is subject to
>   w3m's checking: The domain of the server that sends a SET-COOKIE
>   request and / or the domain name specified in the cookie itself.

The matching happens against the domain attribute that was given
in the SET-COOKIE header (Domain=).

> - It is necessary to have precisely described what matching is
>   performed with the domain attribute of a cookie. E.g. only the
>   number of dots in this string or all the conditions mentioned in the
>   RFC.

As can be seen from the code snippet above this depends on the version
of the cookie. The version depends of the header name, Set-Cookie: vs
Set-Cookie2: (according to Wikipedia Set-Cookie2 is deprecated and not
used anymore).

The check will only be performed when the number of dots in the domain
name is less then 2. AFAIK RFC 6265 made the leading dot in the domain
attribute optional. This means, a nowadays valid domain attribute, e.g.
github.com, will be checked.

Whitelisting `.github.com' will a match `domain=github.com' while
whitelisting `aol.com' will not match `domain=.aol.com' (.aol.com will
not be checked in the first place because it has two dots. I changed the
code to debug it).

Note, a domain like `https://aol.co.uk' will never be checked as is
always contains at least two dots.

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-21 Thread markus . hiereth 
Hello Tatsuya,

(thanks for informing me that You have passed the German po-file to
the resources for Jessie). Please note with references to:
  https://lists.debian.org/debian-l10n-english/2014/10/msg00021.html

In the course of my translation work on the man-page of w3m, I made a
couple of tests and learned to know the option -reqlog

  w3m -reqlog URL 

and found out 

  ~/.w3m/request.log

as the place for the logged data and what kind of data inside. They
show the HTTP communication between w3m and the web server. The file
features domain name information of both sides as well as the domain
string within a cookie the server tries to set on the disk of the
client PC; in other words, value of its domain attribute of the
cookie. See the snippet below with a SET-COOKIE request by
wikipedia's server and usage of a cookie by w3m.

In addition, the file that stores cookies

  ~/.w3m/cookie

is a plain text file. It is loaded into the browser upon start and
saved before EXIT.

I think with this technical background information, it should be
possible to unravel what domain information is subject to validation
and what are in fact the criteria applied in this validation.

I would appreciate if there was somebody who designs and performs the
necessary tests, The findings would be valuable to improve the w3m's
user documentation.

Regards
Markus


-


GET / HTTP/1.0
User-Agent: w3m/0.5.3+cvs-1.1055
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, video/*, 
message/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: de.wikipedia.org

HTTP/1.1 301 Moved Permanently
Server: Apache
X-Content-Type-Options: nosniff
Cache-control: s-maxage=1200, must-revalidate, max-age=0
Last-Modified: Sun, 19 Oct 2014 18:23:54 GMT
Location: http://de.wikipedia.org/wiki/Wikipedia:Hauptseite
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding,X-Forwarded-Proto,Cookie,X-Use-HHVM
X-Varnish: 115743251, 3889558698 3889556238, 2750104885 2749402641
Via: 1.1 varnish, 1.1 varnish, 1.1 varnish
Content-Length: 20
Accept-Ranges: bytes
Date: Sun, 19 Oct 2014 18:34:39 GMT
Age: 645
Connection: close
X-Cache: cp1055 miss (0), amssq48 hit (25), amssq48 frontend hit (172)
X-Analytics: php=zend
Set-Cookie: GeoIP=DE:Schwabhausen:48.4000:11.3500:v4; Path=/; 
Domain=.wikipedia.org

GET /wiki/Wikipedia:Hauptseite HTTP/1.0
User-Agent: w3m/0.5.3+cvs-1.1055
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, video/*, 
message/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: de.wikipedia.org
Referer: http://de.wikipedia.org/
Cookie: GeoIP=DE:Schwabhausen:48.4000:11.3500:v4
Cookie2: $Version=1

HTTP/1.1 200 OK
Server: Apache
X-Content-Type-Options: nosniff
Content-language: de
X-UA-Compatible: IE=Edge
Last-Modified: Sun, 19 Oct 2014 10:13:34 GMT
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding,Cookie,X-Use-HHVM
X-Varnish: 890659, 2301775781 2301775196, 2260380402 2231581926
Via: 1.1 varnish, 1.1 varnish, 1.1 varnish
Content-Length: 14505
Accept-Ranges: bytes
Date: Sun, 19 Oct 2014 18:34:40 GMT
Age: 30065
Connection: close
X-Cache: cp1053 miss (0), amssq46 hit (14), amssq49 frontend hit (11335)
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Analytics: php=zend


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-17 Thread Tatsuya Kinoshita 
On October 15, 2014 at 6:49PM +0900, tats (at debian.org) wrote:
 I'd like to use the Domains to ... style like other options.

Instead, the English messages of the other options should be improved.

If you make a patch to correct the English messages, I'll review it
for merging.

Thanks,
--
Tatsuya Kinoshita


pgpYelhgDk6M6.pgp
Description: PGP signature

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-17 Thread Markus Hiereth 
Package: w3m
Version: 0.5.3-8
Followup-For: Bug #765068

Hello Tatsuya,

please note the discussion thread within the mailing list of the
English translation team:

https://lists.debian.org/debian-l10n-english/2014/10/msg00018.html

The results are

- It is necessary to find out what domain information is subject to
  w3m's checking: The domain of the server that sends a SET-COOKIE
  request and / or the domain name specified in the cookie itself.

- It is necessary to have precisely described what matching is
  performed with the domain attribute of a cookie. E.g. only the
  number of dots in this string or all the conditions mentioned in the
  RFC.

Afterwards, the respective description in the options panel and the
respective paragraph in README.cookies shall be updated.

Best regards
Markus


-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-486
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages w3m depends on:
ii  libc62.13-38+deb7u2
ii  libgc1c2 1:7.1-9.1
ii  libgpm2  1.20.4-6
ii  libssl1.0.0  1.0.1e-2+deb7u11
ii  libtinfo55.9-10
ii  zlib1g   1:1.2.7.dfsg-13

Versions of packages w3m recommends:
ii  ca-certificates  20130119

Versions of packages w3m suggests:
ii  man-db2.6.2-1
pn  menu  none
pn  migemonone
ii  mime-support  3.52-1
pn  w3m-elnone
ii  w3m-img   0.5.3-8

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-15 Thread Tatsuya Kinoshita 
Hi Markus,

On October 13, 2014 at 11:22AM +0200, markus.hiereth (at freenet.de) wrote:
 #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Domains to avoid [wrong 
 number of dots])
 Therefore, please consider the following msgid
 #define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Do not reject cookies having 
 the domain attributes)

How about Domains to avoid error of [wrong number of dots]?

I'd like to use the Domains to ... style like other options.

Any ideas?

Thanks,
--
Tatsuya Kinoshita


pgpaGMnAtEjzF.pgp
Description: PGP signature

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-15 Thread Tatsuya Kinoshita 
Control: notfound -1 iapws/1.0.5-2
Control: reopen -1

Thanks,
--
Tatsuya Kinoshita


pgpqHCO2tAUxC.pgp
Description: PGP signature

Bug#765068: w3m: Misleading Option String for Cookies

2014-10-13 Thread Markus Hiereth 
Package: w3m
Version: 0.5.3-8
Severity: normal

Dear Tatsuya,

as German translator and after some correspondance, I'm of the opinion
that source file rc.c (still true for Version 0.5.3-17, Line 207)
gives misleading information:

#define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Domains to avoid [wrong number 
of dots])

The msgid would be understood in a way round that the user shall type
in a list of domains to be avoided, wheras README.cookies explains

  If the number of . in domain name is lesser than 2, it is assumed
  as invalid cookie (cf. RFC 2109 4.3.2), however, you can use
  cookie_avoid_wrong_number_of_dots to avoid this restriction. You can
  set this in Domains to avoid [wrong number of dots] on the Option
  Setting Panel.

According to this paragraph, this options item makes w3m accept
cookies that would be rejected otherwise.

Therefore, please consider the following msgid

#define CMT_COOKIE_AVOID_WONG_NUMBER_OF_DOTS N_(Do not reject cookies having 
the domain attributes)


The README.cookies would need beeing updated the same way

  If the number of dots in domain name is lesser than 2, it is assumed
  as invalid cookie (cf. RFC 2109 4.3.2). However, you can use a
  configuration parameter cookie_avoid_wrong_number_of_dots In the
  option panel, besides Do not reject cookies having the domain
  attributes, the parameter takes a list of strings for the domain
  attribute. Cookies matching these domains are accepted though they
  fail the check described above.

Yours sincerely
Markus



-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-486
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages w3m depends on:
ii  libc62.13-38+deb7u2
ii  libgc1c2 1:7.1-9.1
ii  libgpm2  1.20.4-6
ii  libssl1.0.0  1.0.1e-2+deb7u11
ii  libtinfo55.9-10
ii  zlib1g   1:1.2.7.dfsg-13

Versions of packages w3m recommends:
ii  ca-certificates  20130119

Versions of packages w3m suggests:
ii  man-db2.6.2-1
pn  menu  none
pn  migemonone
ii  mime-support  3.52-1
pn  w3m-elnone
ii  w3m-img   0.5.3-8

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org