1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-14 05:25:06 -05:00
curl/tests/data/test61
Daniel Stenberg 49465fffdb cookies: tricked dotcounter fixed
Providing multiple dots in a series in the domain field (domain=..com) could
trick the cookie engine to wrongly accept the cookie believing it to be
fine. Since the tailmatching would then match all .com sites, the cookie would
then be sent to all of them.

The code now requires at least one letter between each dot for them to be
counted. Edited test case 61 to verify this.
2010-12-23 22:52:32 +01:00

73 lines
1.6 KiB
Plaintext

<testcase>
<info>
<keywords>
HTTP
HTTP GET
cookies
cookiejar
HTTP replaced headers
httponly
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Type: text/html
Funny-head: yesyes
Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
Set-Cookie: fake=fooledyou; domain=..com; path=/;
Content-Length: 4
boo
</data>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP with various cookies and custom Host:
</name>
# Explicitly set the time zone to a known good one, in case the user is
# using one of the 'right' zones that take into account leap seconds
# which causes the cookie expiry times to be different.
<setenv>
TZ=GMT
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/we/want/61 -c log/jar61.txt -H "Host: www.host.foo.com"
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /we/want/61 HTTP/1.1
Accept: */*
Host: www.host.foo.com
</protocol>
<file name="log/jar61.txt" mode="text">
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_.foo.com TRUE /we/want/ FALSE 2054030187 test yes
.host.foo.com TRUE /we/want/ FALSE 2054030187 test2 yes
.foo.com TRUE /moo TRUE 0 test3 maybe
</file>
</verify>
</testcase>