Bug#834615: davfs2: Fails to parse cookies

[Werner Baumann]

Thanks for the patch. I have applied it to the CVS-repository on
Savannah.

I suggest to apply this patch to the Debian package in Unstable too.

Am Wed, 17 Aug 2016 17:33:01 +0200
schrieb Harald Braumann :

> PS: I would have reported this upstream, but I'm not allowed to. 

Because in my experience many users create bug reports that turn out to
just be support requests I only allowed the creation of support request
items and would move them to the bug tracker if they turned out to be
bugs.
But this seems to be confusing too. So I changed the settings and now
everybody can create bug reports.

Werner
(Upstream maintainer)

Bug#834615: davfs2: Fails to parse cookies

[Harald Braumann]

Package: davfs2
Version: 1.5.2-1
Severity: normal

Dear Maintainer,

Davfs2 fails to accept/parse cookies and therefore Novell drives can't
be mounted, as Novell uses session cookies.

There are 2 problems in src/webdav.c: get_cookies()

1. Cookies are only accepted for status codes 2xx and 3xx. But novell
sends the cookie header in an "Authorization required" response with
status 4xx. According to rfc6265:
  "User agents [...] MUST process Set-Cookie headers contained in other
  responses (including responses with 400- and 500-level status codes)."
So I think this restriction can be removed.

2. Cookies are ignored, if their value ends with a `='. This is
regularly the case with Base64 encoded values.

Attached patch fixes both problems. It was created for 1.5.2, but it
also applies to 1.5.4.

Cheers,
harry

PS: I would have reported this upstream, but I'm not allowed to. 

 -- System Information:
Debian Release: jessie/sid
  APT prefers vivid-updates
  APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500,
'vivid'), (100, 'vivid-backports') Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-64-generic (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=de_AT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages davfs2 depends on:
ii  adduser3.113+nmu3ubuntu3
ii  debconf [debconf-2.0]  1.5.55ubuntu2
ii  libc6  2.21-0ubuntu4
ii  libneon27  0.30.1-1

davfs2 recommends no packages.

davfs2 suggests no packages.

-- Configuration Files:
/etc/davfs2/davfs2.conf changed [not included]
/etc/davfs2/secrets [Errno 13] Permission denied: u'/etc/davfs2/secrets'

-- debconf information excluded
Index: davfs2-1.5.2/src/webdav.c
===
--- davfs2-1.5.2.orig/src/webdav.c
+++ davfs2-1.5.2/src/webdav.c
@@ -1728,14 +1728,10 @@ file_reader(void *userdata, const char *
When a cookie with the same name as an already stored cookie, but with
a different value is received, it's value is updated if necessary.
Only n_cookies cookies will be stored. If the server sends more
-   different cookies these will be ignored.
-   status must be of class 2XX or 3XX, otherwise the cookie is ignored. */
+   different cookies these will be ignored. */
 static void
 get_cookies(ne_request *req, void *userdata, const ne_status *status)
 {
-if (status->klass != 2 && status->klass != 3)
-return;
-
 const char *cookie_hdr = ne_get_response_header(req, "Set-Cookie");
 if (!cookie_hdr)
 return;
@@ -1758,14 +1754,13 @@ get_cookies(ne_request *req, void *userd
 while (end > start && *(end - 1) == ' ')
 end--;
 
-if ((start + 4) > end || *start == '=' || *(end - 1) == '=')
-continue;
-
 char *es = strchr(start, '=');
 if (!es)
 continue;
 size_t nl = es - start;
 size_t vl = end - es - 1;
+if (nl == 0 || vl == 0)
+continue;
 
 int i = 0;
 for (i = 0; i < n_cookies; i++) {