From 04f52e9b4db01bcbf672c9c69303a4e4ad0d0fb9 Mon Sep 17 00:00:00 2001 From: YAMADA Yasuharu Date: Sat, 18 May 2013 22:51:31 +0200 Subject: cookies: only consider full path matches I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - server returns cookie which with path=/hoge; the point is there is NOT the '/' end of path string. - cURL sends a request to http://example.fake/hogege/ with the cookie. The reason for this old "feature" is because that behavior is what is described in the original netscape cookie spec: http://curl.haxx.se/rfc/cookie_spec.html The current cookie spec (RFC6265) clarifies the situation: http://tools.ietf.org/html/rfc6265#section-5.2.4 --- tests/data/test1228 | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 tests/data/test1228 (limited to 'tests/data/test1228') diff --git a/tests/data/test1228 b/tests/data/test1228 new file mode 100644 index 000000000..0a76b878c --- /dev/null +++ b/tests/data/test1228 @@ -0,0 +1,54 @@ + + + +HTTP +HTTP GET +cookies +cookie path + + + + +HTTP/1.1 200 OK +Date: Tue, 25 Sep 2001 19:37:44 GMT +Set-Cookie: path1=root; domain=.example.fake; path=/; +Set-Cookie: path2=depth1; domain=.example.fake; path=/hoge; +Content-Length: 34 + +This server says cookie path test + + + +# Client-side + + +http + + +HTTP cookie path match + + +http://example.fake/hoge/1228 http://example.fake/hogege/ -b nonexisting -x %HOSTIP:%HTTPPORT + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://example.fake/hoge/1228 HTTP/1.1 +Host: example.fake +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://example.fake/hogege/ HTTP/1.1 +Host: example.fake +Accept: */* +Proxy-Connection: Keep-Alive +Cookie: path1=root + + + + -- cgit v1.2.3