cookie parser: more strict parsing + bugfixes

This commit is contained in:
jkhsjdhjs 2019-11-26 04:15:01 +01:00
parent 425067e759
commit eeeba02b83
Signed by: jkhsjdhjs
GPG Key ID: BAC6ADBAB7D576CC

View File

@ -32,11 +32,16 @@ export default class Cookie {
constructor(str, requestURL) {
if(typeof str !== "string")
throw paramError("First", "str", "new Cookie()", "string");
if(typeof requestURL !== "string")
throw paramError("Second", "requestURL", "new Cookie()", "string");
// check if url is valid
new url.URL(requestURL);
const splitted = str.split("; ");
[this.name, this.value] = splitN(splitted[0], "=", 1);
if(!this.name)
throw new CookieParseError("Invalid cookie name \"" + this.name + "\"");
throw new CookieParseError("Invalid cookie name \"" + this.name + "\"!");
if(this.value.startsWith("\"") && this.value.endsWith("\""))
this.value = this.value.slice(1, -1);
@ -50,7 +55,8 @@ export default class Cookie {
if(this.expiry) // max-age has precedence over expires
continue;
if(!/^(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2}[ -](?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)[ -]\d{2,4} \d{2}:\d{2}:\d{2} GMT$/.test(v)
|| (this.expiry = new Date(v)) === "Invalid Date")
|| (this.expiry = new Date(v)).toString() === "Invalid Date"
|| this.expiry.getTime() < 0)
throw new CookieParseError("Invalid value for Expires \"" + v + "\"!");
}
else if(k === "max-age") {
@ -87,7 +93,7 @@ export default class Cookie {
if(this.name.toLowerCase().startsWith("__secure-") && (!this.secure || parsedURL.protocol !== "https:"))
throw new CookieParseError("Cookie has \"__Secure-\" prefix but \"Secure\" isn't set or the cookie is not set via https!");
if(this.name.toLowerCase().startsWith("__host-") && (!this.secure || parsedURL.protocol !== "https:" || this.domain || (this.path && this.path !== "/")))
if(this.name.toLowerCase().startsWith("__host-") && (!this.secure || parsedURL.protocol !== "https:" || this.domain || this.path !== "/"))
throw new CookieParseError("Cookie has \"__Host-\" prefix but \"Secure\" isn't set, the cookie is not set via https, \"Domain\" is set or \"Path\" is not equal to \"/\"!");
// assign defaults