diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2008-01-31 12:21:57 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2008-01-31 12:21:57 +0000 |
| commit | a62e155ca4d9e1db640d897bfbabbd4bf865b777 (patch) | |
| tree | 1a738379d6c4cc2df907d88c4533d83cb847652e /lib | |
| parent | b620e62f0f4e90f4d1338117c67580a6f5f37377 (diff) | |
- Niklas Angebrand made the cookie support in libcurl properly deal with the
"HttpOnly" feature introduced by Microsoft and apparently also supported by
Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
is now supported when received from servers in HTTP headers, when written to
cookie jars and when read from existing cookie jars.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/cookie.c | 21 | ||||
| -rw-r--r-- | lib/cookie.h | 1 |
2 files changed, 21 insertions, 1 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 3e6c8a1cd..f2dabd8e2 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data, else { if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]", what)) { - if(strequal("secure", what)) + if(strequal("secure", what)) { co->secure = TRUE; + } + else if (strequal("httponly", what)) { + co->httponly = TRUE; + } /* else, unsupported keyword without assign! */ @@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data, char *tok_buf; int fields; + /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies + marked with httpOnly after the domain name are not accessible + from javascripts, but since curl does not operate at javascript + level, we include them anyway. In Firefox's cookie files, these + lines are preceeded with #HttpOnly_ and then everything is + as usual, so we skip 10 characters of the line.. + */ + if (strncmp(lineptr, "#HttpOnly_", 10) == 0) { + lineptr += 10; + co->httponly = TRUE; + } + + if(lineptr[0]=='#') { /* don't even try the comments */ free(co); @@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c) static char *get_netscape_format(const struct Cookie *co) { return aprintf( + "%s" /* httponly preamble */ "%s%s\t" /* domain */ "%s\t" /* tailmatch */ "%s\t" /* path */ @@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co) "%" FORMAT_OFF_T "\t" /* expires */ "%s\t" /* name */ "%s", /* value */ + co->httponly?"#HttpOnly_":"", /* Make sure all domains are prefixed with a dot if they allow tailmatching. This is Mozilla-style. */ (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"", diff --git a/lib/cookie.h b/lib/cookie.h index 7fbc72e8a..a1d107352 100644 --- a/lib/cookie.h +++ b/lib/cookie.h @@ -50,6 +50,7 @@ struct Cookie { bool secure; /* whether the 'secure' keyword was used */ bool livecookie; /* updated from a server, not a stored file */ + bool httponly; /* true if the httponly directive is present */ }; struct CookieInfo { |