aboutsummaryrefslogtreecommitdiff
path: root/lib/cookie.h
AgeCommit message (Collapse)Author
2018-12-13cookies: leave secure cookies aloneDaniel Gustafsson
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-08-31cookies: support creation-time attribute for cookiesDaniel Gustafsson
According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
2018-04-27cookies: remove unused macroDaniel Gustafsson
Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused, so remove as it's not part of the published API. Closes https://github.com/curl/curl/pull/2537
2018-04-02cookie: store cookies per top-level-domain-specific hash tableLauri Kasanen
This makes libcurl handle thousands of cookies much better and speedier. Closes #2440
2018-04-02cookies: when reading from a file, only remove_expired onceLauri Kasanen
This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
2017-09-18cookies: reject oversized cookiesDaniel Stenberg
... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894
2016-10-31cookies: getlist() now holds deep copies of all cookiesDaniel Stenberg
Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2013-06-12cookies: follow-up fix for path checkingYAMADA Yasuharu
The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62).
2013-01-09build: fix circular header inclusion with other packagesYang Tse
This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2012-12-28build: rename 76 lib/*.h filesYang Tse
76 private header files renamed to use our standard naming scheme. This commit only does the file renaming. ---------------------------------------- renamed: amigaos.h -> curl_amigaos.h renamed: arpa_telnet.h -> curl_arpa_telnet.h renamed: asyn.h -> curl_asyn.h renamed: axtls.h -> curl_axtls.h renamed: bundles.h -> curl_bundles.h renamed: conncache.h -> curl_conncache.h renamed: connect.h -> curl_connect.h renamed: content_encoding.h -> curl_content_encoding.h renamed: cookie.h -> curl_cookie.h renamed: cyassl.h -> curl_cyassl.h renamed: dict.h -> curl_dict.h renamed: easyif.h -> curl_easyif.h renamed: escape.h -> curl_escape.h renamed: file.h -> curl_file.h renamed: fileinfo.h -> curl_fileinfo.h renamed: formdata.h -> curl_formdata.h renamed: ftp.h -> curl_ftp.h renamed: ftplistparser.h -> curl_ftplistparser.h renamed: getinfo.h -> curl_getinfo.h renamed: gopher.h -> curl_gopher.h renamed: gtls.h -> curl_gtls.h renamed: hash.h -> curl_hash.h renamed: hostcheck.h -> curl_hostcheck.h renamed: hostip.h -> curl_hostip.h renamed: http.h -> curl_http.h renamed: http_chunks.h -> curl_http_chunks.h renamed: http_digest.h -> curl_http_digest.h renamed: http_negotiate.h -> curl_http_negotiate.h renamed: http_proxy.h -> curl_http_proxy.h renamed: if2ip.h -> curl_if2ip.h renamed: imap.h -> curl_imap.h renamed: inet_ntop.h -> curl_inet_ntop.h renamed: inet_pton.h -> curl_inet_pton.h renamed: krb4.h -> curl_krb4.h renamed: llist.h -> curl_llist.h renamed: memdebug.h -> curl_memdebug.h renamed: multiif.h -> curl_multiif.h renamed: netrc.h -> curl_netrc.h renamed: non-ascii.h -> curl_non-ascii.h renamed: nonblock.h -> curl_nonblock.h renamed: nssg.h -> curl_nssg.h renamed: parsedate.h -> curl_parsedate.h renamed: pingpong.h -> curl_pingpong.h renamed: polarssl.h -> curl_polarssl.h renamed: pop3.h -> curl_pop3.h renamed: progress.h -> curl_progress.h renamed: qssl.h -> curl_qssl.h renamed: rawstr.h -> curl_rawstr.h renamed: rtsp.h -> curl_rtsp.h renamed: select.h -> curl_select.h renamed: sendf.h -> curl_sendf.h renamed: setup.h -> curl_setup.h renamed: setup_once.h -> curl_setup_once.h renamed: share.h -> curl_share.h renamed: slist.h -> curl_slist.h renamed: smtp.h -> curl_smtp.h renamed: sockaddr.h -> curl_sockaddr.h renamed: socks.h -> curl_socks.h renamed: speedcheck.h -> curl_speedcheck.h renamed: splay.h -> curl_splay.h renamed: ssh.h -> curl_ssh.h renamed: sslgen.h -> curl_sslgen.h renamed: ssluse.h -> curl_ssluse.h renamed: strdup.h -> curl_strdup.h renamed: strequal.h -> curl_strequal.h renamed: strerror.h -> curl_strerror.h renamed: strtok.h -> curl_strtok.h renamed: strtoofft.h -> curl_strtoofft.h renamed: telnet.h -> curl_telnet.h renamed: tftp.h -> curl_tftp.h renamed: timeval.h -> curl_timeval.h renamed: transfer.h -> curl_transfer.h renamed: url.h -> curl_url.h renamed: urldata.h -> curl_urldata.h renamed: warnless.h -> curl_warnless.h renamed: wildcard.h -> curl_wildcard.h ----------------------------------------
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2011-09-03fix a bunch of MSVC compiler warningsYang Tse
2011-07-25time.h and sys/time.h inclusion conditionally done in setup_once.hYang Tse
2011-06-03cookie_output: made privateDaniel Stenberg
2011-05-21compiler warning: fixYang Tse
Fix compiler warning: empty body in an if-statement
2011-04-04disable cookies: remove ifdefs, move codeDaniel Stenberg
1 - make sure to #define macros for cookie functions in the cookie header when cookies are disabled to avoid having to use #ifdefs in code using those functions. 2 - move cookie-specific code to cookie.c and use the functio conditionally as mentioned in (1). net result: 6 #if lines removed, and 9 lines of code less
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg
2009-02-27Indentation fixes, untabify and related whitespace-cleanup. No code changed.Daniel Stenberg
2008-01-31- Niklas Angebrand made the cookie support in libcurl properly deal with theDaniel Stenberg
"HttpOnly" feature introduced by Microsoft and apparently also supported by Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly is now supported when received from servers in HTTP headers, when written to cookie jars and when read from existing cookie jars.
2008-01-23"Igor" pointed out that CURLOPT_COOKIELIST set to "ALL" leaked memory, and soDaniel Stenberg
did "SESS". Fixed now.
2007-08-29Added lots of constsDan Fandrich
2006-08-30Removed "#ifndef__WATCOMC__". Use "#ifdef HAVE_SYS_TIME_H" instead.Gisle Vanem
2006-08-29Watcom lacks <sys/time.h>.Gisle Vanem
2006-07-31Silence warning: empty body in an if-statementYang Tse
2006-05-24Michael Wallner provided a patch that allows "SESS" to be set withDaniel Stenberg
CURLOPT_COOKIELIST, which then makes all session cookies get cleared. (slightly edited by me, and the re-indent in cookie.c was also done by me)
2006-01-09Made the copyright year match the latest modification's year.Daniel Stenberg
2005-08-17- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (withDaniel Stenberg
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to write the result to a given cookie jar and then never actually call curl_easy_perform() - the given file(s) to read was never read but the output file was written and thus it caused a "funny" result. - While doing some tests for the bug above, I noticed that Firefox generates large numbers (for the expire time) in the cookies.txt file and libcurl didn't treat them properly. Now it does.
2005-07-27Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is aDaniel Stenberg
simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code.
2004-10-06removed tabs and trailing whitespace from sourceDaniel Stenberg
2004-06-22David Cohen pointed out that RFC2109 says clients should allow cookies toDaniel Stenberg
contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-01-07updated year in the copyright stringDaniel Stenberg
2003-08-11the new cookie functions that require 'data' passed inDaniel Stenberg
2003-04-30Many cookie fixes:Daniel Stenberg
o Save domains in jars like Mozilla does. It means all domains set in Set-Cookie: headers are dot-prefixed. o Save and use the 'tailmatch' field in the Mozilla/Netscape cookie jars (the second column). o Reject cookies using illegal domains in the Set-Cookie: line. Concerns both domains with too few dots or domains that are outside the currently operating server host's domain. o Set the path part by default to the one used in the request, if none was set in the Set-Cookie line.
2003-01-16copyright year update in the source headerDaniel Stenberg
2002-09-03updated source code boilerplate/headerDaniel Stenberg
2002-05-07support for ingoring session cookies addedDaniel Stenberg
2002-03-19copyright string (year) updateDaniel Stenberg
2002-02-20Nico Baggus' VMS tweaksDaniel Stenberg
2001-09-26Now we're setting a default domain for received cookies so that we canDaniel Stenberg
properly match those cookies in subsequent requests
2001-08-29cookie jar adjustmentsDaniel Stenberg
2001-08-23started working on a function for writing (all) cookies, made it possibleDaniel Stenberg
to read multiple cookie files, no longer writes to the URL string passed to the _add() function. The new stuff is now conditionally compiled on the COOKIE define. Changed the _init() proto.
2001-01-05Internal symbols that aren't static are now prefixed with 'Curl_'Daniel Stenberg
2001-01-03dual-license fixDaniel Stenberg
2000-02-01Added some RFC2109 supportDaniel Stenberg
1999-12-29Initial revisionDaniel Stenberg