moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 06:55:02 -05:00
Code Issues Releases Wiki Activity

cookies: first n/v pair in Set-Cookie: is the cookie, then parameters

Browse Source 
RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.

libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.

The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.

Fixes #709
This commit is contained in:
Daniel Stenberg 2016-03-10 11:20:56 +01:00
parent 4d4ce84bb3
commit 7f7fcd0d75
3 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/cookie.c
View File

@ -456,7 +456,16 @@ Curl_cookie_add(struct SessionHandle *data,
while(*whatptr && ISBLANK(*whatptr)) while(*whatptr && ISBLANK(*whatptr))
whatptr++; whatptr++;
if(!len) { if(!co->name && sep) {
/* The very first name/value pair is the actual cookie name */
co->name = strdup(name);
co->value = strdup(whatptr);
if(!co->name || !co->value) {
badcookie = TRUE;
break;
}
}
else if(!len) {
/* this was a "<name>=" with no content, and we must allow /* this was a "<name>=" with no content, and we must allow
'secure' and 'httponly' specified this weirdly */ 'secure' and 'httponly' specified this weirdly */
done = TRUE; done = TRUE;
@ -550,14 +559,6 @@ Curl_cookie_add(struct SessionHandle *data,
break; break;
} }
} }
else if(!co->name) {
co->name = strdup(name);
co->value = strdup(whatptr);
if(!co->name || !co->value) {
badcookie = TRUE;
break;
}
}
/* /*
else this is the second (or more) name we don't know else this is the second (or more) name we don't know
about! */ about! */

2
tests/data/test1218
View File

@ -14,7 +14,7 @@ cookies
<data> <data>
HTTP/1.1 200 OK HTTP/1.1 200 OK
Date: Tue, 25 Sep 2001 19:37:44 GMT Date: Tue, 25 Sep 2001 19:37:44 GMT
Set-Cookie: domain=.example.fake; bug=fixed; Set-Cookie: bug=fixed; domain=.example.fake;
Content-Length: 21 Content-Length: 21
This server says moo This server says moo

2
tests/data/test27
View File

@ -11,7 +11,7 @@ cookies
<data> <data>
HTTP/1.1 200 Mooo swsclose HTTP/1.1 200 Mooo swsclose
Connection: close Connection: close
Set-Cookie: path=/; thewinneris=nowayyouwin; Set-Cookie: thewinneris=nowayyouwin; path=/;
Content-Length: 8 Content-Length: 8
*flopp* *flopp*