From 1b55d270ad3d4473b2fd46481478275e47c60eaf Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Sun, 13 May 2018 01:23:10 +0200
Subject: cookies: do not take cookie name as a parameter

RFC 6265 section 4.2.1 does not set restrictions on cookie names.
This is a follow-up to commit 7f7fcd0.
Also explicitly check proper syntax of cookie name/value pair.

New test 1155 checks that cookie names are not reserved words.

Reported-By: anshnd at github
Fixes #2564
Closes #2566
---
 lib/cookie.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'lib/cookie.c')

diff --git a/lib/cookie.c b/lib/cookie.c
index 5eb3c1209..29f627fd4 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -528,10 +528,16 @@ Curl_cookie_add(struct Curl_easy *data,
         while(*whatptr && ISBLANK(*whatptr))
           whatptr++;
 
-        if(!co->name && sep) {
+        if(!co->name) {
           /* The very first name/value pair is the actual cookie name */
+          if(!sep) {
+            /* Bad name/value pair. */
+            badcookie = TRUE;
+            break;
+          }
           co->name = strdup(name);
           co->value = strdup(whatptr);
+          done = TRUE;
           if(!co->name || !co->value) {
             badcookie = TRUE;
             break;
-- 
cgit v1.2.3