Commit 62523863 authored by Lars Ingebrigtsen's avatar Lars Ingebrigtsen
Browse files

(url-cookie-host-can-set-p): Protect against zero-length domains

* lisp/url/url-cookie.el (url-cookie-host-can-set-p): Protect
against zero-length domains.

Backtrace of a real-world site that triggers a bug:

Debugger entered--Lisp error: (args-out-of-range "" 0)
  url-cookie-host-can-set-p("www.washingtonpost.com" "")
  url-cookie-handle-set-cookie("utm_term=0;Expires=Thursday,
  01-January-1970 00:00:00 GMT; path=/; domain=")
  url-http-handle-cookies()
parent 43885eac
......@@ -229,16 +229,19 @@ telling Microsoft that."
(defun url-cookie-host-can-set-p (host domain)
(let ((last nil)
(case-fold-search t))
(if (string= host domain) ; Apparently netscape lets you do this
t
(cond
((string= host domain) ; Apparently netscape lets you do this
t)
((zerop (length domain))
nil)
(t
;; Remove the dot from wildcard domains before matching.
(when (eq ?. (aref domain 0))
(setq domain (substring domain 1)))
(and (url-domsuf-cookie-allowed-p domain)
;; Need to check and make sure the host is actually _in_ the
;; domain it wants to set a cookie for though.
(string-match (concat (regexp-quote domain)
"$") host)))))
(string-match (concat (regexp-quote domain) "$") host))))))
(defun url-cookie-handle-set-cookie (str)
(setq url-cookies-changed-since-last-save t)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment