- Stefan Krause pointed out that libcurl would wrongly send away cookies to

sites in cases where the cookie clearly has a very old expiry date. The condition was simply that libcurl's date parser would fail to convert the date and it would then count as a (timed-based) match. Starting now, a missed date due to an unsupported date format or date range will now cause the cookie to not match.
2025-01-30 14:22:33 +08:00 · 2008-09-08 11:36:19 +00:00 · 2008-09-08 11:36:19 +00:00 · f72a26d340
commit f72a26d340
parent 387521bb6d
3 changed files with 21 additions and 8 deletions
--- a/8
+++ b/8
@ -6,6 +6,14 @@

                                  Changelog

+Daniel Stenberg (8 Sep 2008)
+- Stefan Krause pointed out that libcurl would wrongly send away cookies to
+  sites in cases where the cookie clearly has a very old expiry date. The
+  condition was simply that libcurl's date parser would fail to convert the
+  date and it would then count as a (timed-based) match. Starting now, a
+  missed date due to an unsupported date format or date range will now cause
+  the cookie to not match.
+
 Daniel Fandrich (5 Sep 2008)
 - Improved the logic the decides whether to use HTTP 1.1 features or not in a
  request.  Setting a specific version with CURLOPT_HTTP_VERSION overrides
--- a/3
+++ b/3
@ -19,6 +19,7 @@ This release includes the following bugfixes:
 o MingW32 non-configure builds are now largefile feature enabled by default
 o NetWare LIBC builds are now largefile feature enabled by default
 o curl_easy_pause() could behave wrongly on unpause
+ o cookie with invalid expire dates are now considered expired

 This release includes the following known bugs:

@ -32,6 +33,6 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:

 Keith Mok, Yang Tse, Daniel Fandrich, Guenter Knauf, Dmitriy Sergeyev,
- Linus Nielsen Feltzing, Martin Drasar
+ Linus Nielsen Feltzing, Martin Drasar, Stefan Krause

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -338,7 +338,8 @@ Curl_cookie_add(struct SessionHandle *data,
              break;
            }
            co->expires =
-              atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) + (long)now;
+              atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) +
+              (long)now;
          }
          else if(strequal("expires", name)) {
            co->expirestr=strdup(whatptr);
@ -346,6 +347,9 @@ Curl_cookie_add(struct SessionHandle *data,
              badcookie = TRUE;
              break;
            }
+            /* Note that we store -1 in 'expires' here if the date couldn't
+               get parsed for whatever reason. This will have the effect that
+               the cookie won't match. */
            co->expires = curl_getdate(what, &now);
          }
          else if(!co->name) {
@ -437,10 +441,10 @@ Curl_cookie_add(struct SessionHandle *data,
    char *tok_buf;
    int fields;

-    /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies 
-       marked with httpOnly after the domain name are not accessible  
-       from javascripts, but since curl does not operate at javascript  
-       level, we include them anyway. In Firefox's cookie files, these 
+    /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
+       marked with httpOnly after the domain name are not accessible
+       from javascripts, but since curl does not operate at javascript
+       level, we include them anyway. In Firefox's cookie files, these
       lines are preceeded with #HttpOnly_ and then everything is
       as usual, so we skip 10 characters of the line..
    */
@ -753,7 +757,7 @@ struct CookieInfo *Curl_cookie_init(struct SessionHandle *data,

 struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
                                   const char *host, const char *path,
-				   bool secure)
+                                   bool secure)
 {
  struct Cookie *newco;
  struct Cookie *co;
@ -769,7 +773,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
    /* only process this cookie if it is not expired or had no expire
       date AND that if the cookie requires we're secure we must only
       continue if we are! */
-    if( (co->expires<=0 || (co->expires> now)) &&
+    if( (!co->expires || (co->expires > now)) &&
        (co->secure?secure:TRUE) ) {

      /* now check if the domain is correct */