added support for the public suffix list

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@679322 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ortwin Glueck 2008-07-24 09:22:30 +00:00
parent f87aaff0f1
commit 15a027f427
6 changed files with 302 additions and 0 deletions

View File

@ -0,0 +1,92 @@
package org.apache.http.impl.cookie;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.apache.http.client.utils.Punycode;
import org.apache.http.cookie.Cookie;
import org.apache.http.cookie.CookieAttributeHandler;
import org.apache.http.cookie.CookieOrigin;
import org.apache.http.cookie.MalformedCookieException;
import org.apache.http.cookie.SetCookie;
/**
* Wraps a CookieAttributeHandler and leverages its match method
* to never match a suffix from a black list. May be used to provide
* additional security for cross-site attack types by preventing
* cookies from apparent domains that are not publicly available.
* An uptodate list of suffixes can be obtained from
* <a href="http://publicsuffix.org/">publicsuffix.org</a>
*
* @author Ortwin Glück
*/
public class PublicSuffixFilter implements CookieAttributeHandler {
private CookieAttributeHandler wrapped;
private Set<String> exceptions;
private Set<String> suffixes;
public PublicSuffixFilter(CookieAttributeHandler wrapped) {
this.wrapped = wrapped;
}
/**
* Sets the suffix blacklist patterns.
* A pattern can be "com", "*.jp"
* TODO add support for patterns like "lib.*.us"
* @param suffixes
*/
public void setPublicSuffixes(Collection<String> suffixes) {
this.suffixes = new HashSet<String>(suffixes);
}
/**
* Sets the exceptions from the blacklist. Exceptions can not be patterns.
* TODO add support for patterns
* @param exceptions
*/
public void setExceptions(Collection<String> exceptions) {
this.exceptions = new HashSet<String>(exceptions);
}
/**
* Never matches if the cookie's domain is from the blacklist.
*/
public boolean match(Cookie cookie, CookieOrigin origin) {
if (isForPublicSuffix(cookie)) return false;
return wrapped.match(cookie, origin);
}
public void parse(SetCookie cookie, String value) throws MalformedCookieException {
wrapped.parse(cookie, value);
}
public void validate(Cookie cookie, CookieOrigin origin) throws MalformedCookieException {
wrapped.validate(cookie, origin);
}
private boolean isForPublicSuffix(Cookie cookie) {
String domain = cookie.getDomain();
if (domain.startsWith(".")) domain = domain.substring(1);
domain = Punycode.toUnicode(domain);
// An exception rule takes priority over any other matching rule.
if (this.exceptions != null) {
if (this.exceptions.contains(domain)) return false;
}
if (this.suffixes == null) return false;
do {
if (this.suffixes.contains(domain)) return true;
// patterns
if (domain.startsWith("*.")) domain = domain.substring(2);
int nextdot = domain.indexOf('.');
if (nextdot == -1) break;
domain = "*" + domain.substring(nextdot);
} while (domain.length() > 0);
return false;
}
}

View File

@ -0,0 +1,79 @@
package org.apache.http.impl.cookie;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.Reader;
import java.util.ArrayList;
import java.util.Collection;
/**
* Parses the list from <a href="http://publicsuffix.org/">publicsuffix.org</a>
* and configures a PublicSuffixFilter.
*
* @author Ortwin Glück
*/
public class PublicSuffixListParser {
private static final int MAX_LINE_LEN = 256;
private PublicSuffixFilter filter;
PublicSuffixListParser(PublicSuffixFilter filter) {
this.filter = filter;
}
/**
* Parses the public suffix list format.
* When creating the reader from the file, make sure to
* use the correct encoding (the original list is in UTF-8).
*
* @param list the suffix list. The caller is responsible for closing the reader.
* @throws IOException on error while reading from list
*/
public void parse(Reader list) throws IOException {
Collection<String> rules = new ArrayList<String>();
Collection<String> exceptions = new ArrayList<String>();
BufferedReader r = new BufferedReader(list);
StringBuilder sb = new StringBuilder(256);
boolean more = true;
while (more) {
more = readLine(r, sb);
String line = sb.toString();
if (line.length() == 0) continue;
if (line.startsWith("//")) continue; //entire lines can also be commented using //
if (line.startsWith(".")) line = line.substring(1); // A leading dot is optional
// An exclamation mark (!) at the start of a rule marks an exception to a previous wildcard rule
boolean isException = line.startsWith("!");
if (isException) line = line.substring(1);
if (isException) {
exceptions.add(line);
} else {
rules.add(line);
}
}
filter.setPublicSuffixes(rules);
filter.setExceptions(exceptions);
}
/**
*
* @param r
* @param sb
* @return false when the end of the stream is reached
* @throws IOException
*/
private boolean readLine(Reader r, StringBuilder sb) throws IOException {
sb.setLength(0);
int b;
boolean hitWhitespace = false;
while ((b = r.read()) != -1) {
char c = (char) b;
if (c == '\n') break;
// Each line is only read up to the first whitespace
if (Character.isWhitespace(c)) hitWhitespace = true;
if (!hitWhitespace) sb.append(c);
if (sb.length() > MAX_LINE_LEN) throw new IOException("Line too long"); // prevent excess memory usage
}
return (b != -1);
}
}

View File

@ -53,6 +53,7 @@ public class TestAllCookieImpl extends TestCase {
suite.addTest(TestCookieRFC2109Spec.suite()); suite.addTest(TestCookieRFC2109Spec.suite());
suite.addTest(TestCookieRFC2965Spec.suite()); suite.addTest(TestCookieRFC2965Spec.suite());
suite.addTest(TestCookieBestMatchSpec.suite()); suite.addTest(TestCookieBestMatchSpec.suite());
suite.addTest(TestPublicSuffixListParser.suite());
return suite; return suite;
} }

View File

@ -32,6 +32,7 @@ package org.apache.http.impl.cookie;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date; import java.util.Date;
import java.util.Locale; import java.util.Locale;
@ -42,6 +43,16 @@ import junit.framework.TestSuite;
import org.apache.http.cookie.CookieAttributeHandler; import org.apache.http.cookie.CookieAttributeHandler;
import org.apache.http.cookie.CookieOrigin; import org.apache.http.cookie.CookieOrigin;
import org.apache.http.cookie.MalformedCookieException; import org.apache.http.cookie.MalformedCookieException;
import org.apache.http.impl.cookie.BasicClientCookie;
import org.apache.http.impl.cookie.BasicCommentHandler;
import org.apache.http.impl.cookie.BasicDomainHandler;
import org.apache.http.impl.cookie.BasicExpiresHandler;
import org.apache.http.impl.cookie.BasicMaxAgeHandler;
import org.apache.http.impl.cookie.BasicPathHandler;
import org.apache.http.impl.cookie.BasicSecureHandler;
import org.apache.http.impl.cookie.DateUtils;
import org.apache.http.impl.cookie.PublicSuffixFilter;
import org.apache.http.impl.cookie.RFC2109DomainHandler;
public class TestBasicCookieAttribHandlers extends TestCase { public class TestBasicCookieAttribHandlers extends TestCase {
@ -458,4 +469,26 @@ public class TestBasicCookieAttribHandlers extends TestCase {
} }
} }
public void testPublicSuffixFilter() throws Exception {
BasicClientCookie cookie = new BasicClientCookie("name", "value");
PublicSuffixFilter h = new PublicSuffixFilter(new RFC2109DomainHandler());
h.setPublicSuffixes(Arrays.asList(new String[] { "co.uk", "com" }));
cookie.setDomain(".co.uk");
assertFalse(h.match(cookie, new CookieOrigin("apache.co.uk", 80, "/stuff", false)));
cookie.setDomain("co.uk");
assertFalse(h.match(cookie, new CookieOrigin("apache.co.uk", 80, "/stuff", false)));
cookie.setDomain(".com");
assertFalse(h.match(cookie, new CookieOrigin("apache.com", 80, "/stuff", false)));
cookie.setDomain("com");
assertFalse(h.match(cookie, new CookieOrigin("apache.com", 80, "/stuff", false)));
cookie.setDomain("localhost");
assertTrue(h.match(cookie, new CookieOrigin("localhost", 80, "/stuff", false)));
}
} }

View File

@ -0,0 +1,84 @@
package org.apache.http.impl.cookie;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
import org.apache.http.cookie.CookieOrigin;
public class TestPublicSuffixListParser extends TestCase {
private static final String LIST_FILE = "suffixlist.txt";
private PublicSuffixFilter filter;
public TestPublicSuffixListParser(String testName) {
super(testName);
try {
Reader r = new InputStreamReader(getClass().getResourceAsStream(LIST_FILE), "UTF-8");
filter = new PublicSuffixFilter(new RFC2109DomainHandler());
PublicSuffixListParser parser = new PublicSuffixListParser(filter);
parser.parse(r);
} catch (IOException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
public static Test suite() {
return new TestSuite(TestPublicSuffixListParser.class);
}
public static void main(String args[]) {
String[] testCaseName = { TestPublicSuffixListParser.class.getName() };
junit.textui.TestRunner.main(testCaseName);
}
public void testParse() throws Exception {
BasicClientCookie cookie = new BasicClientCookie("name", "value");
cookie.setDomain(".jp");
assertFalse(filter.match(cookie, new CookieOrigin("apache.jp", 80, "/stuff", false)));
cookie.setDomain(".ac.jp");
assertFalse(filter.match(cookie, new CookieOrigin("apache.ac.jp", 80, "/stuff", false)));
cookie.setDomain(".any.tokyo.jp");
assertFalse(filter.match(cookie, new CookieOrigin("apache.any.tokyo.jp", 80, "/stuff", false)));
// exception
cookie.setDomain(".metro.tokyo.jp");
assertTrue(filter.match(cookie, new CookieOrigin("apache.metro.tokyo.jp", 80, "/stuff", false)));
}
public void testUnicode() throws Exception {
BasicClientCookie cookie = new BasicClientCookie("name", "value");
cookie.setDomain(".h\u00E5.no"); // \u00E5 is <aring>
assertFalse(filter.match(cookie, new CookieOrigin("apache.h\u00E5.no", 80, "/stuff", false)));
cookie.setDomain(".xn--h-2fa.no");
assertFalse(filter.match(cookie, new CookieOrigin("apache.xn--h-2fa.no", 80, "/stuff", false)));
cookie.setDomain(".h\u00E5.no");
assertFalse(filter.match(cookie, new CookieOrigin("apache.xn--h-2fa.no", 80, "/stuff", false)));
cookie.setDomain(".xn--h-2fa.no");
assertFalse(filter.match(cookie, new CookieOrigin("apache.h\u00E5.no", 80, "/stuff", false)));
}
public void testWhitespace() throws Exception {
BasicClientCookie cookie = new BasicClientCookie("name", "value");
cookie.setDomain(".xx");
assertFalse(filter.match(cookie, new CookieOrigin("apache.xx", 80, "/stuff", false)));
// yy appears after whitespace
cookie.setDomain(".yy");
assertTrue(filter.match(cookie, new CookieOrigin("apache.yy", 80, "/stuff", false)));
// zz is commented
cookie.setDomain(".zz");
assertTrue(filter.match(cookie, new CookieOrigin("apache.zz", 80, "/stuff", false)));
}
}

View File

@ -0,0 +1,13 @@
jp
ac.jp
*.tokyo.jp
!metro.tokyo.jp
// unicode
no
hå.no
// invalid
xx yy
//zz