Re: [Bug-wget] Implementing draft to update RFC6265

[Kushagra Singh]

I made a small mistake in the last patch, here is the correct one

Kushagra

On Tue, Feb 9, 2016 at 1:23 AM, Kushagra Singh <
address@hidden> wrote:

> Hi,
>
> I worked on the new test today, it is functional after applying the the
> last patch by Tim suggested.
>
> I am facing a problem here. I am trying to set a secure cookie over an
> insecure connection (without applying my patch, so the test should fail).
> The cookie, although being set (cross checked it in the log), is not being
> saved in the file due to some reason I'm unable to figure out. I am sure
> that its not being saved as I tried printing the file content in the test
> (it shows up in the log). Is there any reason it should not be getting
> saved?
>
> PFA the test and modifications to expected_files hook.
>
> Kushagra
>
>
>
> On Wed, Feb 3, 2016 at 1:46 PM, Darshit Shah <address@hidden> wrote:
>
>> That's no problem. Just mentioning it, so the thread stays alive and
>> we don't entirely forget about it.
>>
>> On 3 February 2016 at 09:11, Kushagra Singh
>> <address@hidden> wrote:
>> > I'm out of town right now, I'll be able to get back to it in a couple of
>> > days. Sorry for the delay!
>> >
>> > Regards,
>> > Kushagra
>> >
>> >
>> > On Wed, 3 Feb 2016 13:39 Darshit Shah <address@hidden> wrote:
>> >>
>> >> That's fine. The patch was good.
>> >>
>> >> Now waiting on Kushagra's tests and his copyright assignment to go
>> through
>> >>
>> >> On 1 February 2016 at 21:13, Tim Rühsen <address@hidden> wrote:
>> >> > Ups, just pushed your patch accidentially (thanks anyway).
>> >> > I wanted to wait for Darshit to confirm it...
>> >> >
>> >> > Regards, Tim
>> >> >
>> >> > Am Sonntag, 31. Januar 2016, 17:40:12 schrieb Ander Juaristi:
>> >> >> The test looks good to me, but I think I've spotted a bug _in the
>> test
>> >> >> engine_ where the 'RejectHeader' rule doesn't get enforced.
>> >> >>
>> >> >> You can strip the 'secure' parameter from this testcase and still it
>> >> >> will
>> >> >> pass. I've written a patch to fix this.
>> >> >>
>> >> >> I.e. this:
>> >> >>
>> >> >> ---request begin---
>> >> >> GET /File2 HTTP/1.1
>> >> >> User-Agent: Wget/1.16.3.168-be847 (linux-gnu)
>> >> >> Accept: */*
>> >> >> Accept-Encoding: identity
>> >> >> Host: 127.0.0.1:44832
>> >> >> Connection: Keep-Alive
>> >> >> Cookie: sess-id=0213
>> >> >>
>> >> >> ---request end---
>> >> >> HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016
>> >> >> 17:33:20]
>> >> >> "GET /File2 HTTP/1.1" 200 -
>> >> >>
>> >> >> ---response begin---
>> >> >> HTTP/1.1 200 OK
>> >> >> Server: BaseHTTP/0.6 Python/3.4.3+
>> >> >> Date: Sun, 31 Jan 2016 16:33:20 GMT
>> >> >> content-length: 29
>> >> >> content-type: text/plain
>> >> >>
>> >> >> versus this:
>> >> >>
>> >> >> ---request begin---
>> >> >> GET /File2 HTTP/1.1
>> >> >> User-Agent: Wget/1.16.3.168-be847 (linux-gnu)
>> >> >> Accept: */*
>> >> >> Accept-Encoding: identity
>> >> >> Host: 127.0.0.1:37251
>> >> >> Connection: Keep-Alive
>> >> >> Cookie: sess-id=0213
>> >> >>
>> >> >> ---request end---
>> >> >> HTTP request sent, awaiting response... 127.0.0.1 - - [31/Jan/2016
>> >> >> 17:34:18]
>> >> >> code 400, message Blacklisted Header Cookie received 127.0.0.1 - -
>> >> >> [31/Jan/2016 17:34:18] "GET /File2 HTTP/1.1" 400 -
>> >> >>
>> >> >> ---response begin---
>> >> >> HTTP/1.1 400 Blacklisted Header Cookie received
>> >> >> Server: BaseHTTP/0.6 Python/3.4.3+
>> >> >> Date: Sun, 31 Jan 2016 16:34:18 GMT
>> >> >> Content-Type: text/html;charset=utf-8
>> >> >> Connection: close
>> >> >> Content-Length: 483
>> >> >>
>> >> >> ---response end---
>> >> >> 400 Blacklisted Header Cookie received
>> >> >> Header Cookie received
>> >> >> URI content encoding = ‘utf-8’
>> >> >> Disabling further reuse of socket 3.
>> >> >> Closed fd 3
>> >> >> 2016-01-31 17:34:18 ERROR 400: Blacklisted Header Cookie received.
>> >> >>
>> >> >> On 01/30/2016 09:31 PM, Kushagra Singh wrote:
>> >> >> > Hi,
>> >> >> >
>> >> >> > I'm a bit stuck while writing tests. How do I test the fact that a
>> >> >> > secure
>> >> >> > only cookie does not get saved over an insecure connection? Even
>> if
>> >> >> > the
>> >> >> > cookie gets saved, it will not be transmitted over an insecure
>> >> >> > connection
>> >> >> > (cookie_matches_url() ensures that). So even though I can see in
>> the
>> >> >> > log
>> >> >> > that the cookie is not saved, I can't figure out how exactly to
>> test
>> >> >> > that
>> >> >> > in the test suite, since I cannot check using RejectHeader. Please
>> >> >> > find
>> >> >> > attached the test I have written.
>> >> >> >
>> >> >> > And one thing I noticed, Test-Proto.py tries to import HTTP and
>> HTTPS
>> >> >> > classes from " misc.constants", which is wrong. It should be
>> imported
>> >> >> > from
>> >> >> > test.base_test right?
>> >> >> >
>> >> >> > Regards,
>> >> >> > Kushagra
>> >> >>
>> >> >> Regards,
>> >> >> - AJ
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Thanking You,
>> >> Darshit Shah
>> >>
>> >
>>
>>
>>
>> --
>> Thanking You,
>> Darshit Shah
>>
>
>

0001-Added-Test-reject-secure-cookie.patch
Description: Text Data