Allows cookies to have unrecognized attributes (see RFC 6265, Section…

… 5.2). Fixes nmap#866
jumpnow · Apr 29, 2017 · d478199 · d478199
1 parent 0b36ba5
commit d478199
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -24,6 +24,10 @@ o [NSE] The HTTP response object has a new member, fragment, which contains
   a partially received body (if any) when the overall request fails to
   complete. [nnposter]
 
+o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
+  are silently ignored (in accordance with RFC 6265). Unrecognized attributes
+  were previously causing HTTP requests with such cookies to fail. [nnposter]
+
 o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
   whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
 

diff --git a/nselib/http.lua b/nselib/http.lua
@@ -318,7 +318,8 @@ local function validate_options(options)
               end
             elseif not (cookie_key == 'httponly' or cookie_key == 'secure') then
               stdnse.debug1("http: Unknown field in cookie table: %s", cookie_key)
-              bad = true
+              -- Ignore unrecognized attributes (per RFC 6265, Section 5.2)
+              -- bad = true
             end
           end
         end