mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-12 13:55:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
70f1b540f3
curl/lib/cookie.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

147 lines
5.8 KiB
C
Raw Normal View History

compiler warning: fix Fix compiler warning: empty body in an if-statement
2011-05-21 19:46:37 +08:00
#ifndef HEADER_CURL_COOKIE_H
#define HEADER_CURL_COOKIE_H
updated source code boilerplate/header
2002-09-03 19:52:59 +08:00
/***************************************************************************
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
dual-license fix
2001-01-03 17:29:33 +08:00
* \___|\___/|_| \_\_____|
*
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
2023-01-02 20:51:48 +08:00
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
dual-license fix
2001-01-03 17:29:33 +08:00
*
updated source code boilerplate/header
2002-09-03 19:52:59 +08:00
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
curl.se: new home Closes #6172
2020-11-04 21:02:01 +08:00
* are also available at https://curl.se/docs/copyright.html.
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
*
dual-license fix
2001-01-03 17:29:33 +08:00
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
updated source code boilerplate/header
2002-09-03 19:52:59 +08:00
* furnished to do so, under the terms of the COPYING file.
dual-license fix
2001-01-03 17:29:33 +08:00
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
updated source code boilerplate/header
2002-09-03 19:52:59 +08:00
* SPDX-License-Identifier: curl
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
2022-05-17 17:16:50 +08:00
*
updated source code boilerplate/header
2002-09-03 19:52:59 +08:00
***************************************************************************/
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-07 02:06:49 +08:00
#include "curl_setup.h"
Initial revision
1999-12-29 22:20:26 +08:00
#include <curl/curl.h>
struct Cookie {
Added some RFC2109 support
2000-02-02 07:54:51 +08:00
struct Cookie *next; /* next in the chain */
char *name; /* <this> = value */
char *value; /* name = <this> */
cookies: follow-up fix for path checking The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62).
2013-06-12 17:19:56 +08:00
char *path; /* path = <this> which is in Set-Cookie: */
char *spath; /* sanitized cookie path */
Added some RFC2109 support
2000-02-02 07:54:51 +08:00
char *domain; /* domain = <this> */
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to write the result to a given cookie jar and then never actually call curl_easy_perform() - the given file(s) to read was never read but the output file was written and thus it caused a "funny" result. - While doing some tests for the bug above, I noticed that Firefox generates large numbers (for the expire time) in the cookies.txt file and libcurl didn't treat them properly. Now it does.
2005-08-17 16:55:43 +08:00
curl_off_t expires; /* expires = <this> */
Added some RFC2109 support
2000-02-02 07:54:51 +08:00
char *expirestr; /* the plain text version */
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
Added some RFC2109 support
2000-02-02 07:54:51 +08:00
/* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
char *version; /* Version = <value> */
char *maxage; /* Max-Age = <value> */
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
lib: save a bit of space with some structure packing - Reorder some internal struct members so that less padding is used. This is an attempt at saving a bit of space by packing some structs (using pahole to find the holes) where it might make sense to do so without losing readability. I.e., I tried to avoid separating fields that seem grouped together (like the cwd... fields in struct ftp_conn for instance). Also abstained from touching fields behind conditional macros as that quickly can get complicated. Closes https://github.com/curl/curl/pull/6483
2021-01-17 05:17:51 +08:00
bool tailmatch; /* whether we do tail-matching of the domain name */
Added some RFC2109 support
2000-02-02 07:54:51 +08:00
bool secure; /* whether the 'secure' keyword was used */
started working on a function for writing (all) cookies, made it possible to read multiple cookie files, no longer writes to the URL string passed to the _add() function. The new stuff is now conditionally compiled on the COOKIE define. Changed the _init() proto.
2001-08-23 22:05:25 +08:00
bool livecookie; /* updated from a server, not a stored file */
- Niklas Angebrand made the cookie support in libcurl properly deal with the "HttpOnly" feature introduced by Microsoft and apparently also supported by Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly is now supported when received from servers in HTTP headers, when written to cookie jars and when read from existing cookie jars.
2008-01-31 20:21:57 +08:00
bool httponly; /* true if the httponly directive is present */
cookies: support creation-time attribute for cookies According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
2018-08-28 17:28:50 +08:00
int creationtime; /* time when the cookie was written */
cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-17 07:09:30 +08:00
unsigned char prefix; /* bitmap fields indicating which prefix are set */
Initial revision
1999-12-29 22:20:26 +08:00
};
cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-17 07:09:30 +08:00
/*
* Available cookie prefixes, as defined in
* draft-ietf-httpbis-rfc6265bis-02
*/
#define COOKIE_PREFIX__SECURE (1<<0)
#define COOKIE_PREFIX__HOST (1<<1)
cookie: store cookies per top-level-domain-specific hash table This makes libcurl handle thousands of cookies much better and speedier. Closes #2440
2018-03-30 22:35:46 +08:00
#define COOKIE_HASH_SIZE 256
Initial revision
1999-12-29 22:20:26 +08:00
struct CookieInfo {
started working on a function for writing (all) cookies, made it possible to read multiple cookie files, no longer writes to the URL string passed to the _add() function. The new stuff is now conditionally compiled on the COOKIE define. Changed the _init() proto.
2001-08-23 22:05:25 +08:00
/* linked list of cookies we know of */
cookie: store cookies per top-level-domain-specific hash table This makes libcurl handle thousands of cookies much better and speedier. Closes #2440
2018-03-30 22:35:46 +08:00
struct Cookie *cookies[COOKIE_HASH_SIZE];
support for ingoring session cookies added
2002-05-07 17:58:13 +08:00
char *filename; /* file we read from/write to */
cookie jar adjustments
2001-08-29 17:32:18 +08:00
long numcookies; /* number of cookies in the "jar" */
lib: save a bit of space with some structure packing - Reorder some internal struct members so that less padding is used. This is an attempt at saving a bit of space by packing some structs (using pahole to find the holes) where it might make sense to do so without losing readability. I.e., I tried to avoid separating fields that seem grouped together (like the cwd... fields in struct ftp_conn for instance). Also abstained from touching fields behind conditional macros as that quickly can get complicated. Closes https://github.com/curl/curl/pull/6483
2021-01-17 05:17:51 +08:00
bool running; /* state info, for cookie adding information */
support for ingoring session cookies added
2002-05-07 17:58:13 +08:00
bool newsession; /* new session, discard session cookies on load */
cookies: support creation-time attribute for cookies According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
2018-08-28 17:28:50 +08:00
int lastct; /* last creation-time used in the jar */
cookies: track expiration in jar to optimize removals Removing expired cookies needs to be a fast operation since we want to be able to perform it often and speculatively. By tracking the timestamp of the next known expiration we can exit early in case the timestamp is in the future. Closes: #7172 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2021-06-08 15:16:58 +08:00
curl_off_t next_expiration; /* the next time at which expiration happens */
Initial revision
1999-12-29 22:20:26 +08:00
};
cookie: update the comment on cookie length and size limits To refer to the proper cookie RFC and the upcoming RFC refresh. Closes #11127
2023-05-17 22:12:48 +08:00
/* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
"general-use user agents SHOULD provide each of the following minimum
capabilities":
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
cookie: update the comment on cookie length and size limits To refer to the proper cookie RFC and the upcoming RFC refresh. Closes #11127
2023-05-17 22:12:48 +08:00
- At least 4096 bytes per cookie (as measured by the sum of the length of
the cookie's name, value, and attributes).
cookies: reject oversized cookies ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894
2017-09-18 06:55:07 +08:00
cookie: update the comment on cookie length and size limits To refer to the proper cookie RFC and the upcoming RFC refresh. Closes #11127
2023-05-17 22:12:48 +08:00
In the 6265bis draft document section 5.4 it is phrased even stronger: "If
the sum of the lengths of the name string and the value string is more than
4096 octets, abort these steps and ignore the set-cookie-string entirely."
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
*/
cookie: update the comment on cookie length and size limits To refer to the proper cookie RFC and the upcoming RFC refresh. Closes #11127
2023-05-17 22:12:48 +08:00
/** Limits for INCOMING cookies **/
/* The longest we allow a line to be when reading a cookie from a HTTP header
or from a cookie jar */
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before.
2004-06-23 05:15:51 +08:00
#define MAX_COOKIE_LINE 5000
Initial revision
1999-12-29 22:20:26 +08:00
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
2022-06-26 17:00:48 +08:00
/* Maximum length of an incoming cookie name or content we deal with. Longer
cookies are ignored. */
cookies: reject oversized cookies ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894
2017-09-18 06:55:07 +08:00
#define MAX_NAME 4096
cookie: update the comment on cookie length and size limits To refer to the proper cookie RFC and the upcoming RFC refresh. Closes #11127
2023-05-17 22:12:48 +08:00
/* Maximum number of Set-Cookie: lines accepted in a single response. If more
such header lines are received, they are ignored. This value must be less
than 256 since an unsigned char is used to count. */
#define MAX_SET_COOKIE_AMOUNT 50
/** Limits for OUTGOING cookies **/
Initial revision
1999-12-29 22:20:26 +08:00
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
2022-06-26 17:00:48 +08:00
/* Maximum size for an outgoing cookie line libcurl will use in an http
request. This is the default maximum length used in some versions of Apache
httpd. */
#define MAX_COOKIE_HEADER_LEN 8190
/* Maximum number of cookies libcurl will send in a single request, even if
there might be more cookies that match. One reason to cap the number is to
keep the maximum HTTP request within the maximum allowed size. */
#define MAX_COOKIE_SEND_AMOUNT 150
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
struct Curl_easy;
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests
2001-09-26 15:08:29 +08:00
/*
Many cookie fixes: o Save domains in jars like Mozilla does. It means all domains set in Set-Cookie: headers are dot-prefixed. o Save and use the 'tailmatch' field in the Mozilla/Netscape cookie jars (the second column). o Reject cookies using illegal domains in the Set-Cookie: line. Concerns both domains with too few dots or domains that are outside the currently operating server host's domain. o Set the path part by default to the one used in the request, if none was set in the Set-Cookie line.
2003-05-01 01:03:43 +08:00
* Add a cookie to the internal list of cookies. The domain and path arguments
* are only used if the header boolean is TRUE.
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests
2001-09-26 15:08:29 +08:00
*/
the new cookie functions that require 'data' passed in
2003-08-11 17:56:06 +08:00
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
struct Cookie *Curl_cookie_add(struct Curl_easy *data,
cookies: Use named parameters in header prototypes Align header with project style of using named parameters in the function prototypes to aid readability and self-documentation. Closes #6653 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2021-02-24 05:00:02 +08:00
struct CookieInfo *c, bool header,
bool noexpiry, char *lineptr,
cookies: leave secure cookies alone Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 16:57:58 +08:00
const char *domain, const char *path,
bool secure);
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests
2001-09-26 15:08:29 +08:00
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
2022-06-26 17:00:48 +08:00
struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
struct CookieInfo *c, const char *host,
cookies: Use named parameters in header prototypes Align header with project style of using named parameters in the function prototypes to aid readability and self-documentation. Closes #6653 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2021-02-24 05:00:02 +08:00
const char *path, bool secure);
cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
2016-10-05 05:26:13 +08:00
void Curl_cookie_freelist(struct Cookie *cookies);
Michael Wallner provided a patch that allows "SESS" to be set with CURLOPT_COOKIELIST, which then makes all session cookies get cleared. (slightly edited by me, and the re-indent in cookie.c was also done by me)
2006-05-25 06:46:38 +08:00
void Curl_cookie_clearall(struct CookieInfo *cookies);
void Curl_cookie_clearsess(struct CookieInfo *cookies);
Initial revision
1999-12-29 22:20:26 +08:00
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code.
2005-07-28 06:17:14 +08:00
#if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES)
#define Curl_cookie_list(x) NULL
fix a bunch of MSVC compiler warnings
2011-09-03 22:06:10 +08:00
#define Curl_cookie_loadfiles(x) Curl_nop_stmt
disable cookies: remove ifdefs, move code 1 - make sure to #define macros for cookie functions in the cookie header when cookies are disabled to avoid having to use #ifdefs in code using those functions. 2 - move cookie-specific code to cookie.c and use the functio conditionally as mentioned in (1). net result: 6 #if lines removed, and 9 lines of code less
2011-04-04 21:46:42 +08:00
#define Curl_cookie_init(x,y,z,w) NULL
fix a bunch of MSVC compiler warnings
2011-09-03 22:06:10 +08:00
#define Curl_cookie_cleanup(x) Curl_nop_stmt
#define Curl_flush_cookies(x,y) Curl_nop_stmt
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code.
2005-07-28 06:17:14 +08:00
#else
cookies: change argument type for Curl_flush_cookies The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
2019-10-03 20:29:57 +08:00
void Curl_flush_cookies(struct Curl_easy *data, bool cleanup);
cookies: Use named parameters in header prototypes Align header with project style of using named parameters in the function prototypes to aid readability and self-documentation. Closes #6653 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2021-02-24 05:00:02 +08:00
void Curl_cookie_cleanup(struct CookieInfo *c);
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
cookies: Use named parameters in header prototypes Align header with project style of using named parameters in the function prototypes to aid readability and self-documentation. Closes #6653 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2021-02-24 05:00:02 +08:00
const char *file, struct CookieInfo *inc,
bool newsession);
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
struct curl_slist *Curl_cookie_list(struct Curl_easy *data);
void Curl_cookie_loadfiles(struct Curl_easy *data);
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code.
2005-07-28 06:17:14 +08:00
#endif
compiler warning: fix Fix compiler warning: empty body in an if-statement
2011-05-21 19:46:37 +08:00
#endif /* HEADER_CURL_COOKIE_H */
Reference in New Issue Copy Permalink