aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/cookie.c21
-rw-r--r--lib/cookie.h1
2 files changed, 21 insertions, 1 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index 3e6c8a1cd..f2dabd8e2 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data,
else {
if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",
what)) {
- if(strequal("secure", what))
+ if(strequal("secure", what)) {
co->secure = TRUE;
+ }
+ else if (strequal("httponly", what)) {
+ co->httponly = TRUE;
+ }
/* else,
unsupported keyword without assign! */
@@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data,
char *tok_buf;
int fields;
+ /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
+ marked with httpOnly after the domain name are not accessible
+ from javascripts, but since curl does not operate at javascript
+ level, we include them anyway. In Firefox's cookie files, these
+ lines are preceeded with #HttpOnly_ and then everything is
+ as usual, so we skip 10 characters of the line..
+ */
+ if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {
+ lineptr += 10;
+ co->httponly = TRUE;
+ }
+
+
if(lineptr[0]=='#') {
/* don't even try the comments */
free(co);
@@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
static char *get_netscape_format(const struct Cookie *co)
{
return aprintf(
+ "%s" /* httponly preamble */
"%s%s\t" /* domain */
"%s\t" /* tailmatch */
"%s\t" /* path */
@@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co)
"%" FORMAT_OFF_T "\t" /* expires */
"%s\t" /* name */
"%s", /* value */
+ co->httponly?"#HttpOnly_":"",
/* Make sure all domains are prefixed with a dot if they allow
tailmatching. This is Mozilla-style. */
(co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
diff --git a/lib/cookie.h b/lib/cookie.h
index 7fbc72e8a..a1d107352 100644
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -50,6 +50,7 @@ struct Cookie {
bool secure; /* whether the 'secure' keyword was used */
bool livecookie; /* updated from a server, not a stored file */
+ bool httponly; /* true if the httponly directive is present */
};
struct CookieInfo {