curl/tests/data/test8, branch master cURL mirror with patches applied Revert "cookies: extend domain checks to non psl builds" 2019-03-09T11:59:20+00:00 Daniel Stenberg daniel@haxx.se 2019-03-08T15:55:27+00:00 299d9660f85b7dbc1613931b35e0c5cdf856bf44 This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649 
This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0.

Regression shipped in 7.64.0
Fixes #3649
cookies: extend domain checks to non psl builds 2018-12-19T19:59:09+00:00 Daniel Gustafsson daniel@yesql.se 2018-12-19T19:59:09+00:00 3773de378d48b06c09931e44dca4d274d0bfdce0 Ensure to perform the checks we have to enforce a sane domain in the cookie request. The check for non-PSL enabled builds is quite basic but it's better than nothing. Closes #2964 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 
Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
cookies: support creation-time attribute for cookies 2018-08-31T12:11:37+00:00 Daniel Gustafsson daniel@yesql.se 2018-08-28T09:28:50+00:00 e2ef8d6fa11b2345e10b89db525920f2a0d5fd79 According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524 
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.

Closes #2524
cookies: allow spaces in cookie names, cut of trailing spaces 2016-02-08T14:49:54+00:00 Daniel Stenberg daniel@haxx.se 2016-02-08T14:48:18+00:00 18c735e790e47a1199f9dd71a01aa9847d6474b1 It turns out Firefox and Chrome both allow spaces in cookie names and there are sites out there using that. Turned out the code meant to strip off trailing space from cookie names didn't work. Fixed now. Test case 8 modified to verify both these changes. Closes #639 
It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639
cookies: only use full host matches for hosts used as IP address 2014-09-10T05:32:36+00:00 Tim Ruehsen tim.ruehsen@gmx.de 2014-08-19T19:01:28+00:00 8a75dbeb2305297640453029b7905ef51b87e8dd By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html 
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
cookies: only consider full path matches 2013-05-18T20:54:48+00:00 YAMADA Yasuharu yasuharu.yamada@access-company.com 2013-05-18T20:51:31+00:00 04f52e9b4db01bcbf672c9c69303a4e4ad0d0fb9 I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - server returns cookie which with path=/hoge; the point is there is NOT the '/' end of path string. - cURL sends a request to http://example.fake/hogege/ with the cookie. The reason for this old "feature" is because that behavior is what is described in the original netscape cookie spec: http://curl.haxx.se/rfc/cookie_spec.html The current cookie spec (RFC6265) clarifies the situation: http://tools.ietf.org/html/rfc6265#section-5.2.4 
I found a bug which cURL sends cookies to the path not to aim at.
For example:
- cURL sends a request to http://example.fake/hoge/
- server returns cookie which with path=/hoge;
  the point is there is NOT the '/' end of path string.
- cURL sends a request to http://example.fake/hogege/ with the cookie.

The reason for this old "feature" is because that behavior is what is
described in the original netscape cookie spec:
http://curl.haxx.se/rfc/cookie_spec.html

The current cookie spec (RFC6265) clarifies the situation:
http://tools.ietf.org/html/rfc6265#section-5.2.4
Let test 8 work as long as %HOSTIP ends with ".0.0.1" 2012-11-19T09:58:14+00:00 Fabian Keil fk@fabiankeil.de 2012-11-15T13:02:21+00:00 1b10dd7aaecae14003c26445d2f36af053ca373d .. and add a precheck to skip the test otherwise. 
.. and add a precheck to skip the test otherwise.
cookies with same path length might get sorted in different order when 2010-02-03T01:53:47+00:00 Yang Tse yangsita@gmail.com 2010-02-03T01:53:47+00:00 013ec6a92f0d19a546afb10ffdf5b99fb38822de using different qsort implementations. In order to make this test give same results on different systems, paths now have different lengths. 
using different qsort implementations. In order to make this test give
same results on different systems, paths now have different lengths.
modified test case 8 to also make sure that we deal with cookies using 2010-01-20T09:39:40+00:00 Daniel Stenberg daniel@haxx.se 2010-01-20T09:39:40+00:00 48032c0880454e45f670700d2cf949c0dd416512 identical names but different paths properly 
identical names but different paths properly
- As was pointed out on the http-state mailing list, the order of cookies in a 2010-01-19T23:19:59+00:00 Daniel Stenberg daniel@haxx.se 2010-01-19T23:19:59+00:00 877dad1e24876030a7dd8738648f0f0245b6331a HTTP Cookie: header _needs_ to be sorted on the path length in the cases where two cookies using the same name are set more than once using (overlapping) paths. Realizing this, identically named cookies must be sorted correctly. But detecting only identically named cookies and take care of them individually is harder than just to blindly and unconditionally sort all cookies based on their path lengths. All major browsers also already do this, so this makes our behavior one step closer to them in the cookie area. Test case 8 was the only one that broke due to this change and I updated it accordingly. 
  HTTP Cookie: header _needs_ to be sorted on the path length in the cases
  where two cookies using the same name are set more than once using
  (overlapping) paths. Realizing this, identically named cookies must be
  sorted correctly. But detecting only identically named cookies and take care
  of them individually is harder than just to blindly and unconditionally sort
  all cookies based on their path lengths. All major browsers also already do
  this, so this makes our behavior one step closer to them in the cookie area.

  Test case 8 was the only one that broke due to this change and I updated it
  accordingly.