diff options
author | Daniel Stenberg <daniel@haxx.se> | 2009-10-25 18:15:14 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2009-10-25 18:15:14 +0000 |
commit | 448d2b5f491067f110e96c4a60342d0c34dd7010 (patch) | |
tree | b54da8c69276d819718665cec680bcc1ee6ef5f4 | |
parent | 7867d442514ca2da5f33bc928fa37c442085ade3 (diff) |
- Dima Barsky made the curl cookie parser accept cookies even with blank or
unparsable expiry dates and then treat them as session cookies - previously
libcurl would reject cookies with a date format it couldn't parse. Research
shows that the major browser treat such cookies as session cookies. I
modified test 8 and 31 to verify this.
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | RELEASE-NOTES | 3 | ||||
-rw-r--r-- | lib/cookie.c | 7 | ||||
-rw-r--r-- | tests/data/test31 | 2 | ||||
-rw-r--r-- | tests/data/test8 | 3 |
5 files changed, 17 insertions, 5 deletions
@@ -6,6 +6,13 @@ Changelog +Daniel Stenberg (25 Oct 2009) +- Dima Barsky made the curl cookie parser accept cookies even with blank or + unparsable expiry dates and then treat them as session cookies - previously + libcurl would reject cookies with a date format it couldn't parse. Research + shows that the major browser treat such cookies as session cookies. I + modified test 8 and 31 to verify this. + Daniel Stenberg (21 Oct 2009) - Attempt to use pkg-config for finding out libssh2 installation details during configure. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 775b5fa61..a6049f003 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -41,6 +41,7 @@ This release includes the following bugfixes: o GSS negotiate infinite loop on bad credentials o memory leak in SCP/SFTP connections o use pkg-config to find out libssh2 installation details in configure + o unparsable cookie expire dates make cookies get treated as session coookies This release includes the following known bugs: @@ -53,6 +54,6 @@ advice from friends like these: Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson, Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey, Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich, - Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst + Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/cookie.c b/lib/cookie.c index d121c0b29..89f90f1d3 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -363,9 +363,8 @@ Curl_cookie_add(struct SessionHandle *data, badcookie = TRUE; break; } - /* Note that we store -1 in 'expires' here if the date couldn't - get parsed for whatever reason. This will have the effect that - the cookie won't match. */ + /* Note that if the date couldn't get parsed for whatever reason, + the cookie will be treated as a session cookie */ co->expires = curl_getdate(what, &now); /* Session cookies have expires set to 0 so if we get that back @@ -373,6 +372,8 @@ Curl_cookie_add(struct SessionHandle *data, non-session cookie */ if (co->expires == 0) co->expires = 1; + else if( co->expires < 0 ) + co->expires = 0; } else if(!co->name) { co->name = strdup(name); diff --git a/tests/data/test31 b/tests/data/test31 index 0432f56f9..d06bc1180 100644 --- a/tests/data/test31 +++ b/tests/data/test31 @@ -27,6 +27,7 @@ Set-Cookie: novalue; domain=reallysilly Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: magic=yessir; path=/silly/; HttpOnly
+Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; boo </data> @@ -71,6 +72,7 @@ Accept: */* .127.0.0.1 TRUE / FALSE 0 partmatch present 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir +.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes </file> </verify> </testcase> diff --git a/tests/data/test8 b/tests/data/test8 index 959b8807e..6131894fd 100644 --- a/tests/data/test8 +++ b/tests/data/test8 @@ -41,6 +41,7 @@ Set-Cookie: partmatch=present; domain=.0.0.1; path=/; Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey; Set-Cookie: cookie=yes; path=/we; Set-Cookie: nocookie=yes; path=/WE; +Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; </file> </client> @@ -54,7 +55,7 @@ Set-Cookie: nocookie=yes; path=/WE; GET /we/want/8 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
-Cookie: cookie=yes; partmatch=present; foobar=name
+Cookie: blexp=yesyes; cookie=yes; partmatch=present; foobar=name
</protocol> </verify> |