mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters. libcurl previously had a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft. The previous logic read all n/v pairs from left-to-right and the first name used that wassn't a known parameter name would be used as the cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be a cookie named 'person' while an RFC 6265 compliant parser should consider that to be a cookie named 'Max-Age' with an (unknown) parameter 'person'. Fixes #709
This commit is contained in:
parent
4d4ce84bb3
commit
7f7fcd0d75
19
lib/cookie.c
19
lib/cookie.c
@ -456,7 +456,16 @@ Curl_cookie_add(struct SessionHandle *data,
|
||||
while(*whatptr && ISBLANK(*whatptr))
|
||||
whatptr++;
|
||||
|
||||
if(!len) {
|
||||
if(!co->name && sep) {
|
||||
/* The very first name/value pair is the actual cookie name */
|
||||
co->name = strdup(name);
|
||||
co->value = strdup(whatptr);
|
||||
if(!co->name || !co->value) {
|
||||
badcookie = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
else if(!len) {
|
||||
/* this was a "<name>=" with no content, and we must allow
|
||||
'secure' and 'httponly' specified this weirdly */
|
||||
done = TRUE;
|
||||
@ -550,14 +559,6 @@ Curl_cookie_add(struct SessionHandle *data,
|
||||
break;
|
||||
}
|
||||
}
|
||||
else if(!co->name) {
|
||||
co->name = strdup(name);
|
||||
co->value = strdup(whatptr);
|
||||
if(!co->name || !co->value) {
|
||||
badcookie = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
/*
|
||||
else this is the second (or more) name we don't know
|
||||
about! */
|
||||
|
@ -14,7 +14,7 @@ cookies
|
||||
<data>
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 25 Sep 2001 19:37:44 GMT
|
||||
Set-Cookie: domain=.example.fake; bug=fixed;
|
||||
Set-Cookie: bug=fixed; domain=.example.fake;
|
||||
Content-Length: 21
|
||||
|
||||
This server says moo
|
||||
|
@ -11,7 +11,7 @@ cookies
|
||||
<data>
|
||||
HTTP/1.1 200 Mooo swsclose
|
||||
Connection: close
|
||||
Set-Cookie: path=/; thewinneris=nowayyouwin;
|
||||
Set-Cookie: thewinneris=nowayyouwin; path=/;
|
||||
Content-Length: 8
|
||||
|
||||
*flopp*
|
||||
|
Loading…
Reference in New Issue
Block a user