From cf29b7b967e59f08713d6574b754874a900bf6cd Mon Sep 17 00:00:00 2001
From: Shane Kearns <ext-shane.2.kearns@nokia.com>
Date: Fri, 8 Jun 2012 17:04:35 +0100
Subject: Ignore empty domain attribute in cookies

As recommended by RFC6265.
This fixes the optional-domain0042 test case.

Task-number: QTBUG-15794
Change-Id: I6dd459797afcb52fa2a78437f8481f5abc6f3105
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/network/access/qnetworkcookie.cpp | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

(limited to 'src/network/access')

diff --git a/src/network/access/qnetworkcookie.cpp b/src/network/access/qnetworkcookie.cpp
index 5a75dd55e8..1dd1e25b07 100644
--- a/src/network/access/qnetworkcookie.cpp
+++ b/src/network/access/qnetworkcookie.cpp
@@ -931,16 +931,25 @@ QList<QNetworkCookie> QNetworkCookiePrivate::parseSetCookieHeaderLine(const QByt
                     cookie.setExpirationDate(dt);
                 } else if (field.first == "domain") {
                     QByteArray rawDomain = field.second;
-                    QString maybeLeadingDot;
-                    if (rawDomain.startsWith('.')) {
-                        maybeLeadingDot = QLatin1Char('.');
-                        rawDomain = rawDomain.mid(1);
-                    }
+                    //empty domain should be ignored (RFC6265 section 5.2.3)
+                    if (!rawDomain.isEmpty()) {
+                        QString maybeLeadingDot;
+                        if (rawDomain.startsWith('.')) {
+                            maybeLeadingDot = QLatin1Char('.');
+                            rawDomain = rawDomain.mid(1);
+                        }
 
-                    QString normalizedDomain = QUrl::fromAce(QUrl::toAce(QString::fromUtf8(rawDomain)));
-                    if (normalizedDomain.isEmpty() && !rawDomain.isEmpty())
-                        return result;
-                    cookie.setDomain(maybeLeadingDot + normalizedDomain);
+                        //IDN domains are required by RFC6265, accepting utf8 as well doesn't break any test cases.
+                        QString normalizedDomain = QUrl::fromAce(QUrl::toAce(QString::fromUtf8(rawDomain)));
+                        if (!normalizedDomain.isEmpty()) {
+                            cookie.setDomain(maybeLeadingDot + normalizedDomain);
+                        } else {
+                            //Normalization fails for malformed domains, e.g. "..example.org", reject the cookie now
+                            //rather than accepting it but never sending it due to domain match failure, as the
+                            //strict reading of RFC6265 would indicate.
+                            return result;
+                        }
+                    }
                 } else if (field.first == "max-age") {
                     bool ok = false;
                     int secs = field.second.toInt(&ok);
-- 
cgit v1.2.3