cookies: first n/v pair in Set-Cookie: is the cookie, then parameters

RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters. libcurl previously had a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft. The previous logic read all n/v pairs from left-to-right and the first name used that wassn't a known parameter name would be used as the cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be a cookie named 'person' while an RFC 6265 compliant parser should consider that to be a cookie named 'Max-Age' with an (unknown) parameter 'person'. Fixes #709
2024-11-17 06:55:02 -05:00 · 2016-03-10 11:20:56 +01:00 · 2016-03-10 11:20:56 +01:00 · 7f7fcd0d75
commit 7f7fcd0d75
parent 4d4ce84bb3
3 changed files with 12 additions and 11 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -456,7 +456,16 @@ Curl_cookie_add(struct SessionHandle *data,
        while(*whatptr && ISBLANK(*whatptr))
          whatptr++;

-        if(!len) {
+        if(!co->name && sep) {
+          /* The very first name/value pair is the actual cookie name */
+          co->name = strdup(name);
+          co->value = strdup(whatptr);
+          if(!co->name || !co->value) {
+            badcookie = TRUE;
+            break;
+          }
+        }
+        else if(!len) {
          /* this was a "<name>=" with no content, and we must allow
             'secure' and 'httponly' specified this weirdly */
          done = TRUE;
@ -550,14 +559,6 @@ Curl_cookie_add(struct SessionHandle *data,
            break;
          }
        }
-        else if(!co->name) {
-          co->name = strdup(name);
-          co->value = strdup(whatptr);
-          if(!co->name || !co->value) {
-            badcookie = TRUE;
-            break;
-          }
-        }
        /*
          else this is the second (or more) name we don't know
          about! */
--- a/tests/data/test1218
+++ b/tests/data/test1218
@ -14,7 +14,7 @@ cookies
 <data>
 HTTP/1.1 200 OK
 Date: Tue, 25 Sep 2001 19:37:44 GMT
-Set-Cookie: domain=.example.fake; bug=fixed;
+Set-Cookie: bug=fixed; domain=.example.fake;
 Content-Length: 21

 This server says moo
--- a/tests/data/test27
+++ b/tests/data/test27
@ -11,7 +11,7 @@ cookies
 <data>
 HTTP/1.1 200 Mooo swsclose
 Connection: close
-Set-Cookie: path=/; thewinneris=nowayyouwin;
+Set-Cookie: thewinneris=nowayyouwin; path=/;
 Content-Length: 8

 *flopp*