- Niklas Angebrand made the cookie support in libcurl properly deal with the

"HttpOnly" feature introduced by Microsoft and apparently also supported by Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly is now supported when received from servers in HTTP headers, when written to cookie jars and when read from existing cookie jars.
author: Daniel Stenberg <daniel@haxx.se> 2008-01-31 12:21:57 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2008-01-31 12:21:57 +0000
commit: a62e155ca4d9e1db640d897bfbabbd4bf865b777 (patch)
tree: 1a738379d6c4cc2df907d88c4533d83cb847652e /lib/cookie.c
parent: b620e62f0f4e90f4d1338117c67580a6f5f37377 (diff)
1 files changed, 20 insertions, 1 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index 3e6c8a1cd..f2dabd8e2 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data,
       else {
         if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",
                   what)) {
-          if(strequal("secure", what))
+          if(strequal("secure", what)) {
             co->secure = TRUE;
+          }
+          else if (strequal("httponly", what)) {
+            co->httponly = TRUE;
+          }
           /* else,
              unsupported keyword without assign! */
 
@@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data,
     char *tok_buf;
     int fields;
 
+    /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies 
+       marked with httpOnly after the domain name are not accessible  
+       from javascripts, but since curl does not operate at javascript  
+       level, we include them anyway. In Firefox's cookie files, these 
+       lines are preceeded with #HttpOnly_ and then everything is
+       as usual, so we skip 10 characters of the line..
+    */
+    if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {
+      lineptr += 10;
+      co->httponly = TRUE;
+    }
+
+
     if(lineptr[0]=='#') {
       /* don't even try the comments */
       free(co);
@@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
 static char *get_netscape_format(const struct Cookie *co)
 {
   return aprintf(
+    "%s"     /* httponly preamble */
     "%s%s\t" /* domain */
     "%s\t"   /* tailmatch */
     "%s\t"   /* path */
@@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co)
     "%" FORMAT_OFF_T "\t"   /* expires */
     "%s\t"   /* name */
     "%s",    /* value */
+    co->httponly?"#HttpOnly_":"",
     /* Make sure all domains are prefixed with a dot if they allow
        tailmatching. This is Mozilla-style. */
     (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
author	Daniel Stenberg <daniel@haxx.se>	2008-01-31 12:21:57 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2008-01-31 12:21:57 +0000
commit	a62e155ca4d9e1db640d897bfbabbd4bf865b777 (patch)
tree	1a738379d6c4cc2df907d88c4533d83cb847652e /lib/cookie.c
parent	b620e62f0f4e90f4d1338117c67580a6f5f37377 (diff)