| Age | Commit message (Collapse) | Author |
|---|
|
"name =value" is fine and the space should just be skipped.
Updated test 31 to also test for this.
Bug: https://github.com/bagder/curl/issues/195
Reported-by: cromestant
Help-by: Frank Gevaerts
|
|
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.
CVE-2014-3613
Bug: http://curl.haxx.se/docs/adv_20140910A.html
|
|
The initial fix to only compare full path names were done in commit
04f52e9b4db0 but found out to be incomplete. This takes should make the
change more complete and there's now two additional tests to verify
(test 31 and 62).
|
|
They currently only work for 127.0.0.1 which
is hardcoded and can't be easily changed.
|
|
Trailing spaces were left unmodifed, assuming they were intentional.
|
|
|
|
There are two keywords in cookie headers that don't follow the regular
name=value style: secure and httponly. Still we must support that they
are written like 'secure=' and then treat them as if they were written
'secure'. Test case 31 was much extended by Rob Ward to test this.
Bug: http://curl.haxx.se/bug/view.cgi?id=3349227
Reported by: "gnombat"
|
|
unparsable expiry dates and then treat them as session cookies - previously
libcurl would reject cookies with a date format it couldn't parse. Research
shows that the major browser treat such cookies as session cookies. I
modified test 8 and 31 to verify this.
|
|
files bing mirrored) and thus I've changed the URL in the cookiejar header
to no longer use curlm.haxx.se but instead use the main site curl.haxx.se
|
|
"HttpOnly" feature introduced by Microsoft and apparently also supported by
Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
is now supported when received from servers in HTTP headers, when written to
cookie jars and when read from existing cookie jars.
|
|
|
|
using one of the so-called 'right' time zones that take into account
leap seconds, which causes the tests to fail (as reported by
Daniel Black in bug report #1745964).
|
|
So cookie expiration date is lowered to expire at most in 2035.
|
|
|
|
Next time in 2038 :-)
|
|
are not, due mainly to the lack of support for XML character entities
(e.g. & => & ). This will make it easier to validate test files using
tools like xmllint, as well as edit and view them using XML tools.
|
|
jar has died and we now instead point out our own version of that
|
|
A) Normal non-proxy HTTP:
- no more "Pragma: no-cache" (this only makes sense to proxies)
B) Non-CONNECT HTTP request over proxy:
- "Pragma: no-cache" is used (like before)
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
C) CONNECT HTTP request over proxy:
- "Host: [name]:[port]"
- "Proxy-Connection: Keep-alive"
|
|
the runtests.pl to check this differently on operating systems that
differentiate on this.
|
|
|
|
|
|
2. adjusted date strings to upcoming date parser rewrite
|
|
no fixed port numbers in use anymore. Starting now, the default ports the
servers use are 8990 - 8993. There's no option to modify these yet, but
changing the $base option in the top of the runtests.pl script.
|
|
|
|
HTTP server
|
|
test number.
|
|
|
|
|
|
|
|
|
|
|
