diff options
author | Mårten Nordheim <marten.nordheim@qt.io> | 2017-12-14 11:49:19 +0100 |
---|---|---|
committer | Mårten Nordheim <marten.nordheim@qt.io> | 2018-04-30 11:18:43 +0000 |
commit | 51e14787d5c31a6397dbc43a134397f9bec8c6b3 (patch) | |
tree | 9a249b8a3ca7006c6a1339b577657fd4431102a7 | |
parent | 2677ad78e6a283734aef733581a4ae07f7294ec8 (diff) |
Stop rejecting cookies which have a domain that matches a TLD
... but only if the host it came from is an EXACT match. Also only apply
the cookie if the url is an EXACT match.
[ChangeLog][QtNetwork][QNetworkCookieJar] Cookies will no longer be
rejected when the domain matches a TLD. However (to avoid problems
with TLDs), such cookies are only accepted, or sent, when the host name
matches exactly.
Task-number: QTBUG-52040
Change-Id: Ic2ebd9211c48891beb669032591234b57713c31d
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
-rw-r--r-- | src/network/access/qnetworkcookiejar.cpp | 16 | ||||
-rw-r--r-- | tests/auto/network/access/qnetworkcookiejar/tst_qnetworkcookiejar.cpp | 33 |
2 files changed, 48 insertions, 1 deletions
diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp index f62a03b11d..2ec4acf26c 100644 --- a/src/network/access/qnetworkcookiejar.cpp +++ b/src/network/access/qnetworkcookiejar.cpp @@ -241,6 +241,17 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const if ((*it).isSecure() && !isEncrypted) continue; + QString domain = it->domain(); + if (domain.startsWith(QLatin1Char('.'))) /// Qt6?: remove when compliant with RFC6265 + domain = domain.mid(1); +#if QT_CONFIG(topleveldomain) + if (qIsEffectiveTLD(domain) && url.host() != domain) + continue; +#else + if (!domain.contains(QLatin1Char('.')) && url.host() != domain) + continue; +#endif // topleveldomain + // insert this cookie into result, sorted by path QList<QNetworkCookie>::Iterator insertIt = result.begin(); while (insertIt != result.end()) { @@ -340,6 +351,11 @@ bool QNetworkCookieJar::validateCookie(const QNetworkCookie &cookie, const QUrl if (domain.startsWith(QLatin1Char('.'))) domain = domain.mid(1); + // We shouldn't reject if: + // "[...] the domain-attribute is identical to the canonicalized request-host" + // https://tools.ietf.org/html/rfc6265#section-5.3 step 5 + if (host == domain) + return true; #if QT_CONFIG(topleveldomain) // the check for effective TLDs makes the "embedded dot" rule from RFC 2109 section 4.3.2 // redundant; the "leading dot" rule has been relaxed anyway, see QNetworkCookie::normalize() diff --git a/tests/auto/network/access/qnetworkcookiejar/tst_qnetworkcookiejar.cpp b/tests/auto/network/access/qnetworkcookiejar/tst_qnetworkcookiejar.cpp index ed5d0c69a0..8b49679042 100644 --- a/tests/auto/network/access/qnetworkcookiejar/tst_qnetworkcookiejar.cpp +++ b/tests/auto/network/access/qnetworkcookiejar/tst_qnetworkcookiejar.cpp @@ -164,7 +164,9 @@ void tst_QNetworkCookieJar::setCookiesFromUrl_data() result.clear(); preset.clear(); cookie.setDomain(".foo.ck"); - QTest::newRow("effective-tld2-denied") << preset << cookie << "http://foo.ck" << result << false; + result += cookie; + QTest::newRow("effective-tld2-accepted2") << preset << cookie << "http://foo.ck" << result << true; + result.clear(); QTest::newRow("effective-tld2-denied2") << preset << cookie << "http://www.foo.ck" << result << false; QTest::newRow("effective-tld2-denied3") << preset << cookie << "http://www.anything.foo.ck" << result << false; cookie.setDomain(".www.ck"); @@ -208,6 +210,22 @@ void tst_QNetworkCookieJar::setCookiesFromUrl_data() preset.clear(); cookie.setDomain(".com."); QTest::newRow("rfc2109-4.3.2-ex3-2") << preset << cookie << "http://x.foo.com" << result << false; + + // When using a TLD as a hostname the hostname should still get cookies (QTBUG-52040) + // ... and nothing else should get the cookies. + result.clear(); + preset.clear(); + cookie.setPath("/"); + cookie.setDomain(".support"); + result += cookie; + QTest::newRow("TLD-as-domain-accepted") << preset << cookie << "http://support" << result << true; + result.clear(); + QTest::newRow("TLD-as-domain-rejected") << preset << cookie << "http://a.support" << result << false; + // Now test with no domain in the cookie, use the domain from the url (matching TLD) + cookie.setDomain("support"); + result += cookie; + cookie.setDomain(""); + QTest::newRow("TLD-as-domain-accepted2") << preset << cookie << "http://support" << result << true; } void tst_QNetworkCookieJar::setCookiesFromUrl() @@ -351,6 +369,19 @@ void tst_QNetworkCookieJar::cookiesForUrl_data() result.clear(); result += rootCookie; QTest::newRow("root-path-match") << allCookies << "http://qt-project.org" << result; + + // Domain in cookie happens to match a TLD + allCookies.clear(); + QNetworkCookie tldCookie; + tldCookie.setDomain(".support"); + tldCookie.setName("a"); + tldCookie.setValue("b"); + allCookies += tldCookie; + result.clear(); + result += tldCookie; + QTest::newRow("tld-cookie-match") << allCookies << "http://support/" << result; + result.clear(); + QTest::newRow("tld-cookie-no-match") << allCookies << "http://a.support/" << result; } void tst_QNetworkCookieJar::cookiesForUrl() |