From d6e43d0c97b56958c5ab707715eff0396b26cb81 Mon Sep 17 00:00:00 2001 From: Giuseppe Bilotta Date: Sat, 3 Jul 2010 22:22:24 +0200 Subject: HTTP: only set cookies for the correct domain When a redirect has a Set-Cookie: header, check if the cookie domain is valid for the host we are redirected to. If not, don't set the cookie in the new request. --- lib/rbot/core/utils/httputil.rb | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/lib/rbot/core/utils/httputil.rb b/lib/rbot/core/utils/httputil.rb index 5c7db444..25df3c5b 100644 --- a/lib/rbot/core/utils/httputil.rb +++ b/lib/rbot/core/utils/httputil.rb @@ -438,9 +438,23 @@ class HttpUtil new_opts[:method] = :get end if resp['set-cookie'] - debug "setting cookie #{resp['set-cookie']}" - new_opts[:headers] ||= Hash.new - new_opts[:headers]['Cookie'] = resp['set-cookie'] + debug "set cookie request for #{resp['set-cookie']}" + cookie, cookie_flags = (resp['set-cookie']+'; ').split('; ', 2) + domain = uri.host + cookie_flags.scan(/(\S+)=(\S+);/) { |key, val| + if key.intern == :domain + domain = val + break + end + } + debug "cookie domain #{domain} / #{new_loc.host}" + if new_loc.host.rindex(domain) == new_loc.host.length - domain.length + debug "setting cookie" + new_opts[:headers] ||= Hash.new + new_opts[:headers]['Cookie'] = cookie + else + debug "cookie is for another domain, ignoring" + end end debug "following the redirect to #{new_loc}" return get_response(new_loc, new_opts, &block) -- cgit v1.2.3