HTTP Set-Cookie parser does not handle trailing semicolons #731
Description
Header parser in parse_set_cookie() bails out on a cookie header with a trailing semicolon, like...
Set-Cookie: session_id=76ca8bc8c19;
...because an attribute is expected to follow the semicolon:
while s:sub(pos, pos) == ";" do
pos = pos + 1
pos = skip_space(s, pos)
pos, name = get_token(s, pos)
if not name then
return nil, string.format("Can't get attribute name of cookie \"%s\".", cookie.name)
end
...The following patch resolves the issue:
--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -762,6 +762,9 @@
while s:sub(pos, pos) == ";" do
pos = pos + 1
pos = skip_space(s, pos)
+ if pos > #s then
+ break
+ end
pos, name = get_token(s, pos)
if not name then
return nil, string.format("Can't get attribute name of cookie \"%s\".", cookie.name)
Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.