From 242d1d8ebaee9e519eddc11c6af2666679e76d8c Mon Sep 17 00:00:00 2001 From: Daniel La Rocque Date: Fri, 5 Jan 2024 09:56:14 -0500 Subject: [PATCH] LibWeb: Fail to parse cookie date when date does not exist Previously, the cookie date validation did not validate days in the context of the month and year, resulting in dates that do not exist to be successfully parsed (e.g. February 31st). We now validate that the day does not exceed the number of days for the given month and year, taking leap years into account. --- Base/res/html/misc/cookie.html | 2 ++ Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Base/res/html/misc/cookie.html b/Base/res/html/misc/cookie.html index 3ab6fb7721..f4a5cf4ab1 100644 --- a/Base/res/html/misc/cookie.html +++ b/Base/res/html/misc/cookie.html @@ -22,6 +22,8 @@
+
+

Unretrievable cookies (the browser should accept these but not display them):

diff --git a/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp b/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp index 3729947ab3..2c171c377b 100644 --- a/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp +++ b/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp @@ -345,7 +345,9 @@ Optional parse_date_time(StringView date_string) // 6. Let the parsed-cookie-date be the date whose day-of-month, month, year, hour, minute, and second (in UTC) are the // day-of-month-value, the month-value, the year-value, the hour-value, the minute-value, and the second-value, respectively. // If no such date exists, abort these steps and fail to parse the cookie-date. - // FIXME: Fail on dates that do not exist. + if (day_of_month > static_cast(days_in_month(year, month))) + return {}; + // FIXME: This currently uses UNIX time, which is not equivalent to UTC due to leap seconds. auto parsed_cookie_date = UnixDateTime::from_unix_time_parts(year, month, day_of_month, hour, minute, second, 0);