Commit Graph

25 Commits

Author SHA1 Message Date
Daniel Stenberg
299d9660f8
Revert "cookies: extend domain checks to non psl builds"
This reverts commit 3773de378d.

Regression shipped in 7.64.0
Fixes #3649
2019-03-09 12:59:20 +01:00
Daniel Gustafsson
3773de378d cookies: extend domain checks to non psl builds
Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-19 20:59:09 +01:00
Daniel Gustafsson
e2ef8d6fa1
cookies: support creation-time attribute for cookies
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.

Closes #2524
2018-08-31 14:11:37 +02:00
Daniel Stenberg
18c735e790 cookies: allow spaces in cookie names, cut of trailing spaces
It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639
2016-02-08 15:49:54 +01:00
Tim Ruehsen
8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00
YAMADA Yasuharu
04f52e9b4d cookies: only consider full path matches
I found a bug which cURL sends cookies to the path not to aim at.
For example:
- cURL sends a request to http://example.fake/hoge/
- server returns cookie which with path=/hoge;
  the point is there is NOT the '/' end of path string.
- cURL sends a request to http://example.fake/hogege/ with the cookie.

The reason for this old "feature" is because that behavior is what is
described in the original netscape cookie spec:
http://curl.haxx.se/rfc/cookie_spec.html

The current cookie spec (RFC6265) clarifies the situation:
http://tools.ietf.org/html/rfc6265#section-5.2.4
2013-05-18 22:54:48 +02:00
Fabian Keil
1b10dd7aae Let test 8 work as long as %HOSTIP ends with ".0.0.1"
.. and add a precheck to skip the test otherwise.
2012-11-19 10:58:14 +01:00
Yang Tse
013ec6a92f cookies with same path length might get sorted in different order when
using different qsort implementations. In order to make this test give
same results on different systems, paths now have different lengths.
2010-02-03 01:53:47 +00:00
Daniel Stenberg
48032c0880 modified test case 8 to also make sure that we deal with cookies using
identical names but different paths properly
2010-01-20 09:39:40 +00:00
Daniel Stenberg
877dad1e24 - As was pointed out on the http-state mailing list, the order of cookies in a
HTTP Cookie: header _needs_ to be sorted on the path length in the cases
  where two cookies using the same name are set more than once using
  (overlapping) paths. Realizing this, identically named cookies must be
  sorted correctly. But detecting only identically named cookies and take care
  of them individually is harder than just to blindly and unconditionally sort
  all cookies based on their path lengths. All major browsers also already do
  this, so this makes our behavior one step closer to them in the cookie area.

  Test case 8 was the only one that broke due to this change and I updated it
  accordingly.
2010-01-19 23:19:59 +00:00
Daniel Stenberg
448d2b5f49 - Dima Barsky made the curl cookie parser accept cookies even with blank or
unparsable expiry dates and then treat them as session cookies - previously
  libcurl would reject cookies with a date format it couldn't parse. Research
  shows that the major browser treat such cookies as session cookies. I
  modified test 8 and 31 to verify this.
2009-10-25 18:15:14 +00:00
Daniel Stenberg
1cf6c15ab4 - bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
out that the cookie parser would leak memory when it parses cookies that are
  received with domain, path etc set multiple times in the same header. While
  such a cookie is questionable, they occur in the wild and libcurl no longer
  leaks memory for them. I added such a header to test case 8.
2009-05-25 12:23:22 +00:00
Dan Fandrich
05e4a3026d Replaced 127.0.0.1 with %HOSTIP where possible 2007-09-14 19:32:31 +00:00
Dan Fandrich
33bea767eb Convert (most of) the test data files into genuine XML. A handful still
are not, due mainly to the lack of support for XML character entities
(e.g. & => &amp; ).  This will make it easier to validate test files using
tools like xmllint, as well as edit and view them using XML tools.
2007-01-23 02:25:56 +00:00
Daniel Stenberg
28611704d9 Ates Goral pointed out that libcurl's cookie parser did case insensitive
string comparisons on the path which is incorrect and provided a patch that
fixes this. I edited test case 8 to include details that test for this.
2006-07-08 18:52:08 +00:00
Daniel Stenberg
5d9fc28fa7 Modified the default HTTP headers used by libcurl:
A) Normal non-proxy HTTP:

 - no more "Pragma: no-cache" (this only makes sense to proxies)

B) Non-CONNECT HTTP request over proxy:

 - "Pragma: no-cache" is used (like before)
 - "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)

C) CONNECT HTTP request over proxy:

 - "Host: [name]:[port]"
 - "Proxy-Connection: Keep-alive"
2005-05-11 09:52:59 +00:00
Daniel Stenberg
53280a196b keywords added 2005-04-16 23:15:19 +00:00
Daniel Stenberg
6c2f583f51 keywords added 2005-04-16 00:00:35 +00:00
Daniel Stenberg
f2e71edcbd A minor "syntax error" in numerous test files corrected 2005-01-25 21:45:03 +00:00
Daniel Stenberg
2b1673c9c8 Now the test servers and test cases can run on a custom port number. There's
no fixed port numbers in use anymore. Starting now, the default ports the
servers use are 8990 - 8993. There's no option to modify these yet, but
changing the $base option in the top of the runtests.pl script.
2004-09-08 08:08:38 +00:00
Daniel Stenberg
93e32e6f62 Modified the default HTTP Accept: header to only be Accept: */* 2004-02-09 12:46:41 +00:00
Daniel Stenberg
c50a601f1a modified to work fine with the new persistant connection working test suite
HTTP server
2003-07-19 23:57:08 +00:00
Daniel Stenberg
ee29dbdb8f Each test case now specifies which server(s) it needs, without relying on the
test number.
2003-04-30 20:25:39 +00:00
Daniel Stenberg
ce07e79f3c cookies are stored in the reversed order now (which in turn means that
the order is _not_ actually reversed like it used to be)
2001-08-24 10:18:14 +00:00
Daniel Stenberg
b6ca1be1cd test case converted to the new file format 2001-05-28 12:30:21 +00:00