cookies: the max expire time is 400 days

draft-ietf-httpbis-rfc6265bis-14 says: "The limit SHOULD NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit. Max-Age attributes that are greater than the limit MUST be reduced to the limit."
2025-02-17 14:59:45 +08:00 · 2024-05-06 23:11:52 +02:00 · 2024-05-06 23:11:52 +02:00 · bb730a9988
commit bb730a9988
parent 4edbd52267
5 changed files with 57 additions and 27 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -368,6 +368,18 @@ static void strstore(char **str, const char *newstr, size_t len)
  *str = Curl_memdup0(newstr, len);
 }

+static time_t time_now(void)
+{
+#ifdef DEBUGBUILD
+  char *timestr = getenv("CURL_TIME");
+  if(timestr) {
+    unsigned long val = strtol(timestr, NULL, 10);
+    return (time_t)val;
+  }
+#endif
+  return time(NULL);
+}
+
 /*
 * remove_expired
 *
@ -380,7 +392,7 @@ static void strstore(char **str, const char *newstr, size_t len)
 static void remove_expired(struct CookieInfo *cookies)
 {
  struct Cookie *co, *nx;
-  curl_off_t now = (curl_off_t)time(NULL);
+  curl_off_t now = (curl_off_t)time_now();
  unsigned int i;

  /*
@ -469,6 +481,18 @@ static int invalid_octets(const char *p)
  return (p[len] != '\0');
 }

+/* number of seconds in 400 days */
+#define MAXAGE (400*24*3600)
+
+/* Make sure cookies never expire further away in time than 400 days into the
+   future. (from RFC6265bis draft-13 section 4.1.2.1) */
+static void cap_expires(time_t now, struct Cookie *co)
+{
+  if((TIME_T_MAX - MAXAGE) > now)
+    if(co->expires > (now + MAXAGE))
+      co->expires = now + MAXAGE;
+}
+
 /*
 * Curl_cookie_add
 *
@ -496,7 +520,7 @@ Curl_cookie_add(struct Curl_easy *data,
  struct Cookie *lastc = NULL;
  struct Cookie *replace_co = NULL;
  struct Cookie *replace_clist = NULL;
-  time_t now = time(NULL);
+  time_t now = time_now();
  bool replace_old = FALSE;
  bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
  size_t myhash;
@ -752,6 +776,7 @@ Curl_cookie_add(struct Curl_easy *data,
              co->expires += now;
            break;
          }
+          cap_expires(now, co);
        }
        else if((nlen == 7) && strncasecompare("expires", namep, 7)) {
          char date[128];
@ -776,6 +801,8 @@ Curl_cookie_add(struct Curl_easy *data,
              co->expires = 1;
            else if(co->expires < 0)
              co->expires = 0;
+            else
+              cap_expires(now, co);
          }
        }

--- a/tests/data/test1415
+++ b/tests/data/test1415
@ -59,7 +59,12 @@ http://example.com/we/want/%TESTNUMBER -b none -c %LOGDIR/jar%TESTNUMBER.txt -x
 <features>
 cookies
 proxy
+debug
 </features>
+# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
+<setenv>
+CURL_TIME=1700129579
+</setenv>
 </client>

 # Verify data after the test has been "shot"
@ -78,15 +83,9 @@ Proxy-Connection: Keep-Alive
 # https://curl.se/docs/http-cookies.html
 # This file was generated by libcurl! Edit at your own risk.

-%if large-time
-.example.com	TRUE	/	FALSE	17545593600	test7value	test7
-.example.com	TRUE	/	FALSE	17545593600	test4value	test4
-.example.com	TRUE	/	FALSE	17545593600	test2value	test2
-%else
-.example.com	TRUE	/	FALSE	2145830400	test7value	test7
-.example.com	TRUE	/	FALSE	2145830400	test4value	test4
-.example.com	TRUE	/	FALSE	2145830400	test2value	test2
-%endif
+.example.com	TRUE	/	FALSE	1734689579	test7value	test7
+.example.com	TRUE	/	FALSE	1734689579	test4value	test4
+.example.com	TRUE	/	FALSE	1734689579	test2value	test2
 .example.com	TRUE	/	FALSE	0	test1value	test1
 </file>
 </verify>
--- a/tests/data/test31
+++ b/tests/data/test31
@ -149,7 +149,12 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
 </precheck>
 <features>
 cookies
+debug
 </features>
+# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
+<setenv>
+CURL_TIME=1700129579
+</setenv>
 </client>

 # Verify data after the test has been "shot"
@ -171,11 +176,7 @@ test31.curl	FALSE	/we/want/	FALSE	0	withspaces2	before equals
 test31.curl	FALSE	/we/want/	FALSE	0	withspaces	yes  within and around
 .test31.curl	TRUE	/we/want/	FALSE	0	blexp	yesyes
 #HttpOnly_test31.curl	FALSE	/silly/	FALSE	0	magic	yessir
-%if large-time
-test31.curl	FALSE	/we/want/	FALSE	17517902187	nodomain	value
-%else
-test31.curl	FALSE	/we/want/	FALSE	2118138987	nodomain	value
-%endif
+test31.curl	FALSE	/we/want/	FALSE	1734689579	nodomain	value
 .test31.curl	TRUE	/	FALSE	0	partmatch	present
 #HttpOnly_.test31.curl	TRUE	/p4/	FALSE	0	httponly	myvalue1
 #HttpOnly_.test31.curl	TRUE	/p4/	FALSE	0	httpo4	value4
--- a/tests/data/test46
+++ b/tests/data/test46
@ -69,7 +69,12 @@ domain..tld	FALSE	/want	FALSE	0	empty
 </file>
 <features>
 cookies
+debug
 </features>
+# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
+<setenv>
+CURL_TIME=1700129579
+</setenv>
 </client>

 # Verify data after the test has been "shot"
@ -91,16 +96,14 @@ domain..tld	FALSE	/want/	FALSE	0	simplyhuge	zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
 domain..tld	FALSE	/	FALSE	0	justaname	
 domain..tld	FALSE	/	FALSE	0	ASPSESSIONIDQGGQQSJJ	GKNBDIFAAOFDPDAIEAKDIBKE
 domain..tld	FALSE	/	FALSE	0	ckySession	temporary
-%if large-time
-domain..tld	FALSE	/	FALSE	17517902187	ckyPersistent	permanent
+domain..tld	FALSE	/	FALSE	1734689579	ckyPersistent	permanent
 domain..tld	FALSE	/want	FALSE	0	empty	
+%if large-time
 #HttpOnly_domain..tld	FALSE	/want	FALSE	22139150993	mooo2	indeed2
 domain..tld	FALSE	/	FALSE	22139150993	mooo	indeed
 www.loser.com	FALSE	/	FALSE	22139150993	UID	99
 www.fake.come	FALSE	/	FALSE	22147483647	cookiecliente	si
 %else
-domain..tld	FALSE	/	FALSE	2118138987	ckyPersistent	permanent
-domain..tld	FALSE	/want	FALSE	0	empty	
 #HttpOnly_domain..tld	FALSE	/want	FALSE	2139150993	mooo2	indeed2
 domain..tld	FALSE	/	FALSE	2139150993	mooo	indeed
 www.loser.com	FALSE	/	FALSE	2139150993	UID	99
--- a/tests/data/test61
+++ b/tests/data/test61
@ -46,14 +46,19 @@ HTTP with various cookies and custom Host:
 # Explicitly set the time zone to a known good one, in case the user is
 # using one of the 'right' zones that take into account leap seconds
 # which causes the cookie expiry times to be different.
+
+# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
 <setenv>
 TZ=GMT
+CURL_TIME=1700129579
+</setenv>
 </setenv>
 <command>
 http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -c %LOGDIR/jar%TESTNUMBER.txt -H "Host: www.host.foo.com"
 </command>
 <features>
 cookies
+debug
 </features>
 </client>

@ -71,13 +76,8 @@ Accept: */*
 # https://curl.se/docs/http-cookies.html
 # This file was generated by libcurl! Edit at your own risk.

-%if large-time
-.host.foo.com	TRUE	/we/want/	FALSE	17517902187	test2	yes
-#HttpOnly_.foo.com	TRUE	/we/want/	FALSE	17517902187	test	yes
-%else
-.host.foo.com	TRUE	/we/want/	FALSE	2118138987	test2	yes
-#HttpOnly_.foo.com	TRUE	/we/want/	FALSE	2118138987	test	yes
-%endif
+.host.foo.com	TRUE	/we/want/	FALSE	1734689579	test2	yes
+#HttpOnly_.foo.com	TRUE	/we/want/	FALSE	1734689579	test	yes
 </file>
 </verify>
 </testcase>