http/cookie: Don't allow a partial domain-match against an IP

daurnimator · daurnimator · commit 78e84bc8b532 · 2018-08-13T01:23:15.000+10:00
diff --git a/http/cookie.lua b/http/cookie.lua
@@ -98,7 +98,7 @@ local function domain_match(domain_string, str)
 	return str == domain_string or (
 		str:sub(-#domain_string) == domain_string
 		and str:sub(-#domain_string-1, -#domain_string-1) == "."
-		-- TODO: check if IP address?
+		and not http_util.is_ip(str)
 	)
 end
 
diff --git a/spec/cookie_spec.lua b/spec/cookie_spec.lua
@@ -78,6 +78,10 @@ describe("cookie module", function()
 			local s = http_cookie.new_store()
 			assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("foo=bar; Domain=subdomain.example.com")))
 		end)
+		it("doesn't domain-match a partial ip", function()
+			local s = http_cookie.new_store()
+			assert.falsy(s:store("127.0.0.1", "/", true, true, nil, http_cookie.parse_setcookie("foo=bar; Domain=0.0.1")))
+		end)
 	end)
 	describe("domain-match on lookup", function()
 		it("matches domains correctly when host_only flag is true", function()

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ local function domain_match(domain_string, str)`
`98`	`98`	`return str == domain_string or (`
`99`	`99`	`str:sub(-#domain_string) == domain_string`
`100`	`100`	`and str:sub(-#domain_string-1, -#domain_string-1) == "."`
`101`		`- -- TODO: check if IP address?`
	`101`	`+ and not http_util.is_ip(str)`
`102`	`102`	`)`
`103`	`103`	`end`
`104`	`104`