Bug 604794 – malformed cookie header causes endless loop

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 604794 - malformed cookie header causes endless loop


Summary:	malformed cookie header causes endless loop


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	Misc
Version:	2.28.x
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2009-12-17 04:31 UTC by Mikhail Rogozhin
Modified:	2009-12-17 12:55 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Mikhail Rogozhin 2009-12-17 04:31:59 UTC

malformed cookie header (ends with comma) causes endless loop when libsoup trying to parse it

Steps to Reproduce:

1) Set a server that responds with this header:
Set-Cookie: name=value; max-age=20000000,

2) point epiphany(or midori) to this server

ACT: Epiphany hungs


checked on epiphany 2.28.2-1 (libsoup 2.28.2)

libsoup falls in endless loop. That occurs in parse_one_cookie() soup-cookie.c

	if (*p == ',') {
		p = skip_lws (p + 1);
		if (*p)
			*header_p = p;
	} else
		*header_p = NULL;

it calls skip_lws() with pointer to EOL, skip_lws() skips nothing and returns pointer to same EOL, so *header_p is remained unchanged, so soup_cookies_from_response() call parse_one_cookie() again and again with same header string

checking for EOL should be performed somewhere, this fixed the issue for me:

 	if (*p == ',') {
 		p = skip_lws (p + 1);
 		if (*p)
 			*header_p = p;
+                else
+                       *header_p = NULL;
 	} else
 		*header_p = NULL;

Comment 1 Dan Winship 2009-12-17 12:55:33 UTC

fixed in master