From 448d2b5f491067f110e96c4a60342d0c34dd7010 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 25 Oct 2009 18:15:14 +0000 Subject: [PATCH] - Dima Barsky made the curl cookie parser accept cookies even with blank or unparsable expiry dates and then treat them as session cookies - previously libcurl would reject cookies with a date format it couldn't parse. Research shows that the major browser treat such cookies as session cookies. I modified test 8 and 31 to verify this. --- CHANGES | 7 +++++++ RELEASE-NOTES | 3 ++- lib/cookie.c | 7 ++++--- tests/data/test31 | 2 ++ tests/data/test8 | 3 ++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 310512092..ed5e8892f 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,13 @@ Changelog +Daniel Stenberg (25 Oct 2009) +- Dima Barsky made the curl cookie parser accept cookies even with blank or + unparsable expiry dates and then treat them as session cookies - previously + libcurl would reject cookies with a date format it couldn't parse. Research + shows that the major browser treat such cookies as session cookies. I + modified test 8 and 31 to verify this. + Daniel Stenberg (21 Oct 2009) - Attempt to use pkg-config for finding out libssh2 installation details during configure. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 775b5fa61..a6049f003 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -41,6 +41,7 @@ This release includes the following bugfixes: o GSS negotiate infinite loop on bad credentials o memory leak in SCP/SFTP connections o use pkg-config to find out libssh2 installation details in configure + o unparsable cookie expire dates make cookies get treated as session coookies This release includes the following known bugs: @@ -53,6 +54,6 @@ advice from friends like these: Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson, Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey, Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich, - Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst + Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/cookie.c b/lib/cookie.c index d121c0b29..89f90f1d3 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -363,9 +363,8 @@ Curl_cookie_add(struct SessionHandle *data, badcookie = TRUE; break; } - /* Note that we store -1 in 'expires' here if the date couldn't - get parsed for whatever reason. This will have the effect that - the cookie won't match. */ + /* Note that if the date couldn't get parsed for whatever reason, + the cookie will be treated as a session cookie */ co->expires = curl_getdate(what, &now); /* Session cookies have expires set to 0 so if we get that back @@ -373,6 +372,8 @@ Curl_cookie_add(struct SessionHandle *data, non-session cookie */ if (co->expires == 0) co->expires = 1; + else if( co->expires < 0 ) + co->expires = 0; } else if(!co->name) { co->name = strdup(name); diff --git a/tests/data/test31 b/tests/data/test31 index 0432f56f9..d06bc1180 100644 --- a/tests/data/test31 +++ b/tests/data/test31 @@ -27,6 +27,7 @@ Set-Cookie: novalue; domain=reallysilly Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: magic=yessir; path=/silly/; HttpOnly +Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; boo @@ -71,6 +72,7 @@ Accept: */* .127.0.0.1 TRUE / FALSE 0 partmatch present 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir +.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes diff --git a/tests/data/test8 b/tests/data/test8 index 959b8807e..6131894fd 100644 --- a/tests/data/test8 +++ b/tests/data/test8 @@ -41,6 +41,7 @@ Set-Cookie: partmatch=present; domain=.0.0.1; path=/; Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey; Set-Cookie: cookie=yes; path=/we; Set-Cookie: nocookie=yes; path=/WE; +Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; @@ -54,7 +55,7 @@ Set-Cookie: nocookie=yes; path=/WE; GET /we/want/8 HTTP/1.1 Host: %HOSTIP:%HTTPPORT Accept: */* -Cookie: cookie=yes; partmatch=present; foobar=name +Cookie: blexp=yesyes; cookie=yes; partmatch=present; foobar=name