Parsing issues with Set-Cookie header

[nnposter]

Library http.lua does not correctly parse certain cases of Set-Cookie header.

Case 1: Cookie Merge

Consider the following HTTP response:

...
Set-Cookie: c1=aaa
Set-Cookie: c2=bbb; expires=Sun, 25-Oct-2015 04:35:13 GMT
...

The current code parses the headers as follows:

• Cookie:
  • name="c1"
  • value="aaa,c2=bbb"
  • expires="Sun, 25-Oct-2015 04:35:13 GMT"

Patch http-parse-set-cookie.patch corrects the behavior, producing:

• Cookie:
  • name="c1"
  • value="aaa"
• Cookie:
  • name="c2"
  • value="bbb"
  • expires="Sun, 25-Oct-2015 04:35:13 GMT"

The patch does the following:

• Function parse_set_cookie() is no longer fed response.header["set-cookie"], which is a concatenation of all the cookie definitions. Instead the function is invoked on each Set-Cookie header separately, before they are joined, inside parse_header().
• This allows removal of unnecessary outer looping construct while true do ... end from the cookie parsing code.
• Swaps the position of functions parse_set_cookie() and parse_header() inside http.lua. This is necessary due to the moved invocation point for parse_set_cookie().

The last two changes visually inflate the patch quite a lot but a smart diff can see through it.

Case 2: Comma Splitting

Consider the following HTTP response:

...
Set-Cookie: c1=aaa; path=/bbb/ccc,ddd/eee
...

Note that this is a legitimate path. (See W3C and RFC 6265 for details.)
The current code parses the header as follows:

• Cookie:
  • name="c1"
  • value="aaa"
  • path="=/bbb/ccc"

Patch http-parse-set-cookie-comma.patch corrects the behavior by removing special parsing of the comma from parse_set_cookie(). The parsing is not needed any more due to the function now processing only one header at a time.

Clean-up

Finally I am proposing a clean-up of parse_set_cookie() code, removing unnecessary checks like if pos <= #s and converting string functional calls to the object notation. See patch http-parse-set-cookie-cleanup.patch.

The patches are meant to be applied in this order:

1. http-parse-set-cookie.patch
2. http-parse-set-cookie-comma.patch
3. http-parse-set-cookie-cleanup.patch

[dmiller-nmap]

@nnposter Would this work as an implementation of your patches? https://gist.github.com/dmiller-nmap/ab75df21dc43ee822bef

[nnposter]

I see two modifications, compared to what I proposed:

• Variable value is declared at the time of its first use
• Positions of the two functions, parse_set_cookie() and parse_header(), within http.lua have been restored

I have no problem with the first one. It is cleaner this way. The reason why I did not do that is that in another patch earlier this year my late variable declaration was moved by the committing person to the beginning of the function. So I am a bit struggling to follow the coding culture of this project.

With respect to the second change, I swapped the function positions to address the following error:

nselib/http.lua:697: variable 'parse_set_cookie' is not declared

I am getting this error again with the latest modifications.

[dmiller-nmap]

Great, I fixed the undeclared variable problem by declaring it local just above parse_header, then defining it later. I only moved it to minimize the diff and make the changes clearer. I'll apply this, then. Thanks for continuing to provide great feedback and excellent improvements!