- Dima Barsky made the curl cookie parser accept cookies even with blank or

unparsable expiry dates and then treat them as session cookies - previously
  libcurl would reject cookies with a date format it couldn't parse. Research
  shows that the major browser treat such cookies as session cookies. I
  modified test 8 and 31 to verify this.

CHANGES

@@ -6,6 +6,13 @@
 
                                   Changelog
 
+Daniel Stenberg (25 Oct 2009)
+- Dima Barsky made the curl cookie parser accept cookies even with blank or
+  unparsable expiry dates and then treat them as session cookies - previously
+  libcurl would reject cookies with a date format it couldn't parse. Research
+  shows that the major browser treat such cookies as session cookies. I
+  modified test 8 and 31 to verify this.
+
 Daniel Stenberg (21 Oct 2009)
 - Attempt to use pkg-config for finding out libssh2 installation details
   during configure.

RELEASE-NOTES

@@ -41,6 +41,7 @@ This release includes the following bugfixes:
  o GSS negotiate infinite loop on bad credentials
  o memory leak in SCP/SFTP connections
  o use pkg-config to find out libssh2 installation details in configure
+ o unparsable cookie expire dates make cookies get treated as session coookies
 
 This release includes the following known bugs:
 
@@ -53,6 +54,6 @@ advice from friends like these:
  Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
  Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey,
  Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich,
- Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst
+ Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky
 
         Thanks! (and sorry if I forgot to mention someone)

lib/cookie.c

@@ -363,9 +363,8 @@ Curl_cookie_add(struct SessionHandle *data,
               badcookie = TRUE;
               break;
             }
-            /* Note that we store -1 in 'expires' here if the date couldn't
+            /* Note that if the date couldn't get parsed for whatever reason,
-               get parsed for whatever reason. This will have the effect that
+               the cookie will be treated as a session cookie */
-               the cookie won't match. */
             co->expires = curl_getdate(what, &now);
 
             /* Session cookies have expires set to 0 so if we get that back
@@ -373,6 +372,8 @@ Curl_cookie_add(struct SessionHandle *data,
                non-session cookie */
             if (co->expires == 0)
               co->expires = 1;
+            else if( co->expires < 0 )
+                co->expires = 0;
           }
           else if(!co->name) {
             co->name = strdup(name);

tests/data/test31

@@ -27,6 +27,7 @@ Set-Cookie: novalue; domain=reallysilly
 Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
 Set-Cookie: magic=yessir; path=/silly/; HttpOnly
+Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
 
 boo
 </data>
@@ -71,6 +72,7 @@ Accept: */*
 .127.0.0.1	TRUE	/	FALSE	0	partmatch	present
 127.0.0.1	FALSE	/we/want/	FALSE	2054030187	nodomain	value
 #HttpOnly_127.0.0.1	FALSE	/silly/	FALSE	0	magic	yessir
+.0.0.1	TRUE	/we/want/	FALSE	0	blexp	yesyes
 </file>
 </verify>
 </testcase>

tests/data/test8

@@ -41,6 +41,7 @@ Set-Cookie: partmatch=present; domain=.0.0.1; path=/;
 Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
 Set-Cookie: cookie=yes; path=/we;
 Set-Cookie: nocookie=yes; path=/WE;
+Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
 
 </file>
 </client>
@@ -54,7 +55,7 @@ Set-Cookie: nocookie=yes; path=/WE;
 GET /we/want/8 HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
-Cookie: cookie=yes; partmatch=present; foobar=name
+Cookie: blexp=yesyes; cookie=yes; partmatch=present; foobar=name
 
 </protocol>
 </verify>