curl/tests/data/test61, branch gemini-meta cURL mirror with patches applied tests: allow tests to pass by 2037-02-12 2019-01-08T09:36:49+00:00 Bernhard M. Wiedemann bwiedemann@suse.de 2019-01-07T15:23:04+00:00 114a02c75b702e98abf6328271bc76863c67b931 similar to commit f508d29f3902104018 Closes #3443 
similar to commit f508d29f3902104018

Closes #3443
cookies: leave secure cookies alone 2018-12-13T08:57:58+00:00 Daniel Gustafsson daniel@yesql.se 2018-12-13T08:57:58+00:00 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
cookies: support creation-time attribute for cookies 2018-08-31T12:11:37+00:00 Daniel Gustafsson daniel@yesql.se 2018-08-28T09:28:50+00:00 e2ef8d6fa11b2345e10b89db525920f2a0d5fd79 According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524 
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.

Closes #2524
URLs: change all http:// URLs to https:// 2016-02-02T23:19:02+00:00 Daniel Stenberg daniel@haxx.se 2016-02-02T23:19:02+00:00 4af40b3646d3b09f68e419f7ca866ff395d1f897 






http: always send Host: header as first header
2015-03-12T11:15:24+00:00

Daniel Stenberg
daniel@haxx.se

2015-03-11T23:50:46+00:00

a5d994941c2b19a3c63402caa064c9683647de05

...after the method line:

 "Since the Host field-value is critical information for handling a
 request, a user agent SHOULD generate Host as the first header field
 following the request-line." / RFC 7230 section 5.4

Additionally, this will also make libcurl ignore multiple specified
custom Host: headers and only use the first one. Test 1121 has been
updated accordingly

Bug: http://curl.haxx.se/bug/view.cgi?id=1491
Reported-by: Rainer Canavan





...after the method line:

 "Since the Host field-value is critical information for handling a
 request, a user agent SHOULD generate Host as the first header field
 following the request-line." / RFC 7230 section 5.4

Additionally, this will also make libcurl ignore multiple specified
custom Host: headers and only use the first one. Test 1121 has been
updated accordingly

Bug: http://curl.haxx.se/bug/view.cgi?id=1491
Reported-by: Rainer Canavan







cookies: reject incoming cookies set for TLDs
2014-09-10T05:32:36+00:00

Daniel Stenberg
daniel@haxx.se

2014-08-19T19:11:20+00:00

a76825a5efa6b41d3a1d4f275dada2f017f6f566

Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html





Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html







cookies: change the URL in the cookie jar file header
2012-07-03T09:27:45+00:00

Daniel Stenberg
daniel@haxx.se

2012-07-03T09:27:45+00:00

c75ece44423b0eb4f0fdac13c6760d17c4200ade












cookies: tricked dotcounter fixed
2010-12-23T21:52:32+00:00

Daniel Stenberg
daniel@haxx.se

2010-12-23T21:52:32+00:00

49465fffdb37b91ee5a0ad2601ea9657e5cd8915

Providing multiple dots in a series in the domain field (domain=..com) could
trick the cookie engine to wrongly accept the cookie believing it to be
fine. Since the tailmatching would then match all .com sites, the cookie would
then be sent to all of them.

The code now requires at least one letter between each dot for them to be
counted. Edited test case 61 to verify this.





Providing multiple dots in a series in the domain field (domain=..com) could
trick the cookie engine to wrongly accept the cookie believing it to be
fine. Since the tailmatching would then match all .com sites, the cookie would
then be sent to all of them.

The code now requires at least one letter between each dot for them to be
counted. Edited test case 61 to verify this.







made the cookie tests 61 and 62 test httponly cookies, both receiving in
2009-05-10T18:02:37+00:00

Daniel Stenberg
daniel@haxx.se

2009-05-10T18:02:37+00:00

c0b5d378dc84ba7fc89bf16f9a92bf9bd32943de

headers and reading from cookie-jar





headers and reading from cookie-jar







Tweaked a few tests to test proper Turkish locale handling
2008-10-23T01:53:27+00:00

Dan Fandrich
dan@coneharvesters.com

2008-10-23T01:53:27+00:00

9391d980c3e0e4182e978ef8a5a12a1c0ed32017