CreateSanitizedCookie: make IPv6 domain comparison case insensitive

The canonicalization of file URLs effectively lowercases IPv6 addresses. This confuses GetCookieDomainWithString; when it determines the host is an IP address, it checks whether the specified domain is an exact match to the URL's host. This exact string match works fine for IPv4 addresses, because lowercasing them has no effect. Suppose the URL is "file://[A::]" and the domain is "[A::]". Because the URL's host was canonicalized as "[a::]", the exact match will fail. The reason the linked Clusterfuzz bug only reproduced on Windows is that it relies on Windows-specific behavior that turns URLs that resemble UNC paths (prefixed with two backslashes) into file URLs. Bug: 986675 Change-Id: I66b81dcd499a36132bdf39e42479425e427f0c4c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1726989Reviewed-by: Maks Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#685320}

CreateSanitizedCookie: make IPv6 domain comparison case insensitive
The canonicalization of file URLs effectively lowercases IPv6 addresses. This confuses GetCookieDomainWithString; when it determines the host is an IP address, it checks whether the specified domain is an exact match to the URL's host. This exact string match works fine for IPv4 addresses, because lowercasing them has no effect. Suppose the URL is "file://[A::]" and the domain is "[A::]". Because the URL's host was canonicalized as "[a::]", the exact match will fail. The reason the linked Clusterfuzz bug only reproduced on Windows is that it relies on Windows-specific behavior that turns URLs that resemble UNC paths (prefixed with two backslashes) into file URLs. Bug: 986675 Change-Id: I66b81dcd499a36132bdf39e42479425e427f0c4c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1726989Reviewed-by: Maks Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#685320}
1921d847 · Daniel McArdle · Commit Bot · 6196169d · 1921d847 · 1921d847
Commit 1921d847 authored Aug 08, 2019 by Daniel McArdle Committed by Commit Bot Aug 08, 2019
3 changed files
--- a/net/cookies/canonical_cookie.cc
+++ b/net/cookies/canonical_cookie.cc
@@ -494,6 +494,7 @@ bool CanonicalCookie::IsCanonical() const {

  url::CanonHostInfo canon_host_info;
  std::string canonical_domain(CanonicalizeHost(domain_, &canon_host_info));
+
  // TODO(rdsmith): This specifically allows for empty domains.  The spec
  // suggests this is invalid (if a domain attribute is empty, the cookie's
  // domain is set to the canonicalized request host; see

--- a/net/cookies/canonical_cookie_unittest.cc
+++ b/net/cookies/canonical_cookie_unittest.cc
@@ -7,6 +7,7 @@
 #include "base/optional.h"
 #include "base/test/metrics/histogram_tester.h"
 #include "base/test/scoped_feature_list.h"
+#include "build/build_config.h"
 #include "net/base/features.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_options.h"
@@ -1764,6 +1765,28 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
      base::Time(), base::Time(), base::Time(), false /*secure*/,
      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
      COOKIE_PRIORITY_DEFAULT));
+
+  // Check that a file URL with an IPv6 host, and matching IPv6 domain, are
+  // valid.
+  EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("file://[A::]"), std::string(), std::string(), "[A::]", "",
+      base::Time(), base::Time(), base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT));
+
+  // On Windows, URLs beginning with two backslashes are considered file
+  // URLs. On other platforms, they are invalid.
+  auto double_backslash_ipv6_cookie = CanonicalCookie::CreateSanitizedCookie(
+      GURL("\\\\[A::]"), std::string(), std::string(), "[A::]", "",
+      base::Time(), base::Time(), base::Time(), false /*secure*/,
+      false /*httponly*/, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT);
+#if defined(OS_WIN)
+  EXPECT_TRUE(double_backslash_ipv6_cookie);
+  EXPECT_TRUE(double_backslash_ipv6_cookie->IsCanonical());
+#else
+  EXPECT_FALSE(double_backslash_ipv6_cookie);
+#endif
 }

 TEST(CanonicalCookieTest, IsSetPermittedInContext) {

--- a/net/cookies/cookie_util.cc
+++ b/net/cookies/cookie_util.cc
@@ -122,11 +122,14 @@ bool GetCookieDomainWithString(const GURL& url,
                               std::string* result) {
  const std::string url_host(url.host());

+  url::CanonHostInfo ignored;
+  std::string cookie_domain(CanonicalizeHost(domain_string, &ignored));
+
  // If no domain was specified in the domain string, default to a host cookie.
  // We match IE/Firefox in allowing a domain=IPADDR if it matches the url
  // ip address hostname exactly.  It should be treated as a host cookie.
  if (domain_string.empty() ||
-      (url.HostIsIPAddress() && url_host == domain_string)) {
+      (url.HostIsIPAddress() && url_host == cookie_domain)) {
    *result = url_host;
    DCHECK(DomainIsHostOnly(*result));
    return true;
@@ -139,8 +142,6 @@ bool GetCookieDomainWithString(const GURL& url,
  }

  // Get the normalized domain specified in cookie line.
-  url::CanonHostInfo ignored;
-  std::string cookie_domain(CanonicalizeHost(domain_string, &ignored));
  if (cookie_domain.empty())
    return false;
  if (cookie_domain[0] != '.')