GNU bug report logs - #1401
23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls

Previous Next

Package: emacs;

Reported by: "Karol Hosiawa" <hosiawak <at> gmail.com>

Date: Fri, 21 Nov 2008 15:30:02 UTC

Severity: normal

Tags: fixed, patch

Fixed in version 24.2

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 1401 <at> debbugs.gnu.org, Karol Hosiawa <hosiawak <at> gmail.com>
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Sun, 11 Sep 2011 20:16:45 +0200

Glenn Morris <rgm <at> gnu.org> writes:

> (url-cookie-host-can-set-p "images.google.com" ".google.com")
>
> returns non-nil (because "com" is in url-cookie-two-dot-domains).
>
> And so does:
>
> (setq url-cookie-two-dot-domains "\\.nl\\'")
> (url-cookie-host-can-set-p "images.google.nl" ".google.nl")
>
> But having
>
> (url-cookie-host-can-set-p "foo.co.uk" ".co.uk")
>
> return non-nil would be bad.
>
> It cetainly seems like this problem to me:
>
> http://my.opera.com/yngve/blog/show.dml/267415

I think you're right.  Nobody proposed a solution, though.  :-)

Is there a list of known safe two-dot domains that we could use out
there somewhere?

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/
This bug report was last modified 13 years and 101 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.