diff options
-rw-r--r-- | CHANGES | 8 | ||||
-rw-r--r-- | RELEASE-NOTES | 3 | ||||
-rw-r--r-- | lib/cookie.c | 18 |
3 files changed, 21 insertions, 8 deletions
@@ -6,6 +6,14 @@ Changelog +Daniel Stenberg (8 Sep 2008) +- Stefan Krause pointed out that libcurl would wrongly send away cookies to + sites in cases where the cookie clearly has a very old expiry date. The + condition was simply that libcurl's date parser would fail to convert the + date and it would then count as a (timed-based) match. Starting now, a + missed date due to an unsupported date format or date range will now cause + the cookie to not match. + Daniel Fandrich (5 Sep 2008) - Improved the logic the decides whether to use HTTP 1.1 features or not in a request. Setting a specific version with CURLOPT_HTTP_VERSION overrides diff --git a/RELEASE-NOTES b/RELEASE-NOTES index f96e060dc..3c4885dcb 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -19,6 +19,7 @@ This release includes the following bugfixes: o MingW32 non-configure builds are now largefile feature enabled by default o NetWare LIBC builds are now largefile feature enabled by default o curl_easy_pause() could behave wrongly on unpause + o cookie with invalid expire dates are now considered expired This release includes the following known bugs: @@ -32,6 +33,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Keith Mok, Yang Tse, Daniel Fandrich, Guenter Knauf, Dmitriy Sergeyev, - Linus Nielsen Feltzing, Martin Drasar + Linus Nielsen Feltzing, Martin Drasar, Stefan Krause Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/cookie.c b/lib/cookie.c index 59df3b64f..ed541a12f 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -338,7 +338,8 @@ Curl_cookie_add(struct SessionHandle *data, break; } co->expires = - atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) + (long)now; + atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) + + (long)now; } else if(strequal("expires", name)) { co->expirestr=strdup(whatptr); @@ -346,6 +347,9 @@ Curl_cookie_add(struct SessionHandle *data, badcookie = TRUE; break; } + /* Note that we store -1 in 'expires' here if the date couldn't + get parsed for whatever reason. This will have the effect that + the cookie won't match. */ co->expires = curl_getdate(what, &now); } else if(!co->name) { @@ -437,10 +441,10 @@ Curl_cookie_add(struct SessionHandle *data, char *tok_buf; int fields; - /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies - marked with httpOnly after the domain name are not accessible - from javascripts, but since curl does not operate at javascript - level, we include them anyway. In Firefox's cookie files, these + /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies + marked with httpOnly after the domain name are not accessible + from javascripts, but since curl does not operate at javascript + level, we include them anyway. In Firefox's cookie files, these lines are preceeded with #HttpOnly_ and then everything is as usual, so we skip 10 characters of the line.. */ @@ -753,7 +757,7 @@ struct CookieInfo *Curl_cookie_init(struct SessionHandle *data, struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, const char *path, - bool secure) + bool secure) { struct Cookie *newco; struct Cookie *co; @@ -769,7 +773,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, /* only process this cookie if it is not expired or had no expire date AND that if the cookie requires we're secure we must only continue if we are! */ - if( (co->expires<=0 || (co->expires> now)) && + if( (!co->expires || (co->expires > now)) && (co->secure?secure:TRUE) ) { /* now check if the domain is correct */ |