Age | Commit message (Collapse) | Author |
|
|
|
The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
and how they should affect cookie initialization, which has been
adopted by the major browsers. This adds support for the two prefixes
defined, __Host- and __Secure, and updates the testcase with the
supplied examples from the draft.
Closes #3554
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.
Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.
Closes #2524
|
|
Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
so remove as it's not part of the published API.
Closes https://github.com/curl/curl/pull/2537
|
|
This makes libcurl handle thousands of cookies much better and speedier.
Closes #2440
|
|
This drops the cookie load time for 8k cookies from 178ms to 15ms.
Closes #2441
|
|
... instead of truncating them.
There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.
We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.
Added test 1151 to verify
Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith
Closes #1894
|
|
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
|
|
|
|
|
|
The initial fix to only compare full path names were done in commit
04f52e9b4db0 but found out to be incomplete. This takes should make the
change more complete and there's now two additional tests to verify
(test 31 and 62).
|
|
This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.
Removes the need and usage of a header inclusion guard foreign
to libcurl. [1]
Removes the need and presence of an alarming notice we carried
in old setup_once.h [2]
----------------------------------------
1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
this single inclusion guard is enough to ensure that inclusion of
lib/setup_once.h done from lib/setup.h is only done once.
Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
protect inclusion of setup_once.h even after commit ec691ca3, this
was to avoid a circular header inclusion triggered when building a
c-ares enabled version with c-ares sources available which also has
a setup_once.h header. Commit ec691ca3 exposes the real nature of
__SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
foreign to libcurl belonging to c-ares's setup_once.h
The renaming this commit does, fixes the circular header inclusion,
and as such removes the need and usage of a header inclusion guard
foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.
2 - Due to the circular interdependency of old lib/setup_once.h and the
c-ares setup_once.h header, old file lib/setup_once.h has carried
back from 2006 up to now days an alarming and prominent notice about
the need of keeping libcurl's and c-ares's setup_once.h in sync.
Given that this commit fixes the circular interdependency, the need
and presence of mentioned notice is removed.
All mentioned interdependencies come back from now old days when
the c-ares project lived inside a curl subdirectory. This commit
removes last traces of such fact.
|
|
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:
f871de0... build: make use of 76 lib/*.h renamed files
ffd8e12... build: rename 76 lib/*.h files
This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:
c087374... curl_setup.h: remove redundant include guard
This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:
13606bb... build: make use of 93 lib/*.c renamed files
5b6e792... build: rename 93 lib/*.c files
7d83dff... build: commit 13606bbfde follow-up 1
Start of related discussion thread:
http://curl.haxx.se/mail/lib-2013-01/0012.html
Asking for confirmation on pushing this revertion commit:
http://curl.haxx.se/mail/lib-2013-01/0048.html
Confirmation summary:
http://curl.haxx.se/mail/lib-2013-01/0079.html
NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.
lib/curl_imap.h
lib/curl_smtp.h
|
|
76 private header files renamed to use our standard naming scheme.
This commit only does the file renaming.
----------------------------------------
renamed: amigaos.h -> curl_amigaos.h
renamed: arpa_telnet.h -> curl_arpa_telnet.h
renamed: asyn.h -> curl_asyn.h
renamed: axtls.h -> curl_axtls.h
renamed: bundles.h -> curl_bundles.h
renamed: conncache.h -> curl_conncache.h
renamed: connect.h -> curl_connect.h
renamed: content_encoding.h -> curl_content_encoding.h
renamed: cookie.h -> curl_cookie.h
renamed: cyassl.h -> curl_cyassl.h
renamed: dict.h -> curl_dict.h
renamed: easyif.h -> curl_easyif.h
renamed: escape.h -> curl_escape.h
renamed: file.h -> curl_file.h
renamed: fileinfo.h -> curl_fileinfo.h
renamed: formdata.h -> curl_formdata.h
renamed: ftp.h -> curl_ftp.h
renamed: ftplistparser.h -> curl_ftplistparser.h
renamed: getinfo.h -> curl_getinfo.h
renamed: gopher.h -> curl_gopher.h
renamed: gtls.h -> curl_gtls.h
renamed: hash.h -> curl_hash.h
renamed: hostcheck.h -> curl_hostcheck.h
renamed: hostip.h -> curl_hostip.h
renamed: http.h -> curl_http.h
renamed: http_chunks.h -> curl_http_chunks.h
renamed: http_digest.h -> curl_http_digest.h
renamed: http_negotiate.h -> curl_http_negotiate.h
renamed: http_proxy.h -> curl_http_proxy.h
renamed: if2ip.h -> curl_if2ip.h
renamed: imap.h -> curl_imap.h
renamed: inet_ntop.h -> curl_inet_ntop.h
renamed: inet_pton.h -> curl_inet_pton.h
renamed: krb4.h -> curl_krb4.h
renamed: llist.h -> curl_llist.h
renamed: memdebug.h -> curl_memdebug.h
renamed: multiif.h -> curl_multiif.h
renamed: netrc.h -> curl_netrc.h
renamed: non-ascii.h -> curl_non-ascii.h
renamed: nonblock.h -> curl_nonblock.h
renamed: nssg.h -> curl_nssg.h
renamed: parsedate.h -> curl_parsedate.h
renamed: pingpong.h -> curl_pingpong.h
renamed: polarssl.h -> curl_polarssl.h
renamed: pop3.h -> curl_pop3.h
renamed: progress.h -> curl_progress.h
renamed: qssl.h -> curl_qssl.h
renamed: rawstr.h -> curl_rawstr.h
renamed: rtsp.h -> curl_rtsp.h
renamed: select.h -> curl_select.h
renamed: sendf.h -> curl_sendf.h
renamed: setup.h -> curl_setup.h
renamed: setup_once.h -> curl_setup_once.h
renamed: share.h -> curl_share.h
renamed: slist.h -> curl_slist.h
renamed: smtp.h -> curl_smtp.h
renamed: sockaddr.h -> curl_sockaddr.h
renamed: socks.h -> curl_socks.h
renamed: speedcheck.h -> curl_speedcheck.h
renamed: splay.h -> curl_splay.h
renamed: ssh.h -> curl_ssh.h
renamed: sslgen.h -> curl_sslgen.h
renamed: ssluse.h -> curl_ssluse.h
renamed: strdup.h -> curl_strdup.h
renamed: strequal.h -> curl_strequal.h
renamed: strerror.h -> curl_strerror.h
renamed: strtok.h -> curl_strtok.h
renamed: strtoofft.h -> curl_strtoofft.h
renamed: telnet.h -> curl_telnet.h
renamed: tftp.h -> curl_tftp.h
renamed: timeval.h -> curl_timeval.h
renamed: transfer.h -> curl_transfer.h
renamed: url.h -> curl_url.h
renamed: urldata.h -> curl_urldata.h
renamed: warnless.h -> curl_warnless.h
renamed: wildcard.h -> curl_wildcard.h
----------------------------------------
|
|
76 private header files renamed to use our standard naming scheme.
This change affects 322 files in libcurl's source tree.
|
|
|
|
|
|
|
|
Fix compiler warning: empty body in an if-statement
|
|
1 - make sure to #define macros for cookie functions in the cookie
header when cookies are disabled to avoid having to use #ifdefs in code
using those functions.
2 - move cookie-specific code to cookie.c and use the functio
conditionally as mentioned in (1).
net result: 6 #if lines removed, and 9 lines of code less
|
|
|
|
|
|
"HttpOnly" feature introduced by Microsoft and apparently also supported by
Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
is now supported when received from servers in HTTP headers, when written to
cookie jars and when read from existing cookie jars.
|
|
did "SESS". Fixed now.
|
|
|
|
|
|
|
|
|
|
CURLOPT_COOKIELIST, which then makes all session cookies get cleared. (slightly
edited by me, and the re-indent in cookie.c was also done by me)
|
|
|
|
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
write the result to a given cookie jar and then never actually call
curl_easy_perform() - the given file(s) to read was never read but the
output file was written and thus it caused a "funny" result.
- While doing some tests for the bug above, I noticed that Firefox generates
large numbers (for the expire time) in the cookies.txt file and libcurl
didn't treat them properly. Now it does.
|
|
simple interface to extracting and setting cookies in libcurl's internal
"cookie jar". See the new cookie_interface.c example code.
|
|
|
|
contain least 4096 bytes while libcurl only allowed 2047. I raised the limit
to 4999 now and made the used buffer get malloc()ed instead of simply
allocated on stack as before.
|
|
|
|
|
|
o Save domains in jars like Mozilla does. It means all domains set in
Set-Cookie: headers are dot-prefixed.
o Save and use the 'tailmatch' field in the Mozilla/Netscape cookie jars (the
second column).
o Reject cookies using illegal domains in the Set-Cookie: line. Concerns
both domains with too few dots or domains that are outside the currently
operating server host's domain.
o Set the path part by default to the one used in the request, if none was
set in the Set-Cookie line.
|
|
|
|
|
|
|
|
|
|
|
|
properly match those cookies in subsequent requests
|
|
|
|
to read multiple cookie files, no longer writes to the URL string passed
to the _add() function. The new stuff is now conditionally compiled on the
COOKIE define. Changed the _init() proto.
|
|
|
|
|
|
|
|
|