Commit Graph

42 Commits

Author SHA1 Message Date
Daniel Stenberg
c495dcd02e
http: consider cookies over localhost to be secure
Updated test31.
Added test 392 to verify secure cookies used for http://localhost

Reviewed-by: Daniel Gustafsson
Fixes #6733
Closes #7263
2021-08-10 11:20:21 +02:00
Daniel Stenberg
e2b4df7b5e
tests: use %TESTNUMBER instead of fixed number
This makes the tests easier to copy and relocate to other test numbers
without having to update content.

Closes #6738
2021-03-19 15:57:21 +01:00
Fabian Keil
124198631b
tests: fixup several tests
missing CRs and modified %hostip

lib556/test556: use a real HTTP version to make test reuse more convenient

make sure the weekday in Date headers matches the date

test61: replace stray "^M" (5e 4d) at the end of a cookie with a '^M' (0d)

Gets the test working with external proxies like Privoxy again.

Closes #6463
2021-02-09 00:28:19 +01:00
Daniel Stenberg
c7dd08ce58
tests: updated tests for Hyper 2020-12-18 09:58:04 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
e6b21d422e
runtests: provide curl's version string as %VERSION for tests
... so that we can check HTTP requests for User-Agent: curl/%VERSION

Update 600+ test cases accordingly.

Closes #6037
2020-10-02 22:54:23 +02:00
Bernhard M. Wiedemann
114a02c75b
tests: allow tests to pass by 2037-02-12
similar to commit f508d29f39

Closes #3443
2019-01-08 10:36:49 +01:00
Daniel Gustafsson
7a09b52c98 cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 09:57:58 +01:00
Daniel Gustafsson
e2ef8d6fa1
cookies: support creation-time attribute for cookies
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.

Closes #2524
2018-08-31 14:11:37 +02:00
Dan Fandrich
fa0ac3f4d9 tests: made a couple of prechecks consistent with others
Also removed a TODO suggesting caching the precheck results. Tests
showed this would save about 0.1 sec on the total test run time on a
relatively modern system, an unnoticeable gain at the cost of longer and
more complicated code. There would also be a danger that a cached test
result would be inappropriately returned, such as when other test
dependencies (like environment variables) are different or when the
precheck causes side effects (like filesystem changes).
2017-05-13 19:12:22 +02:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
2685041a5c cookie: handle spaces after the name in Set-Cookie
"name =value" is fine and the space should just be skipped.

Updated test 31 to also test for this.

Bug: https://github.com/bagder/curl/issues/195
Reported-by: cromestant
Help-by: Frank Gevaerts
2015-04-01 23:25:29 +02:00
Tim Ruehsen
8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00
YAMADA Yasuharu
f24dc09d20 cookies: follow-up fix for path checking
The initial fix to only compare full path names were done in commit
04f52e9b4d but found out to be incomplete. This takes should make the
change more complete and there's now two additional tests to verify
(test 31 and 62).
2013-06-12 11:19:56 +02:00
Fabian Keil
276452ca10 Add a HOSTIP precheck for tests 31 and 1105
They currently only work for 127.0.0.1 which
is hardcoded and can't be easily changed.
2012-11-19 10:58:14 +01:00
Fabian Keil
10296ac665 Use carriage returns in all headers in test 31
Trailing spaces were left unmodifed, assuming they were intentional.
2012-11-19 10:58:14 +01:00
Daniel Stenberg
c75ece4442 cookies: change the URL in the cookie jar file header 2012-07-03 11:27:45 +02:00
Daniel Stenberg
7c21c1c4f9 cookie parser: handle 'secure='
There are two keywords in cookie headers that don't follow the regular
name=value style: secure and httponly. Still we must support that they
are written like 'secure=' and then treat them as if they were written
'secure'. Test case 31 was much extended by Rob Ward to test this.

Bug: http://curl.haxx.se/bug/view.cgi?id=3349227
Reported by: "gnombat"
2011-08-09 14:02:05 +02:00
Daniel Stenberg
448d2b5f49 - Dima Barsky made the curl cookie parser accept cookies even with blank or
unparsable expiry dates and then treat them as session cookies - previously
  libcurl would reject cookies with a date format it couldn't parse. Research
  shows that the major browser treat such cookies as session cookies. I
  modified test 8 and 31 to verify this.
2009-10-25 18:15:14 +00:00
Daniel Stenberg
e138ae5ec9 - I'm abandoning the system with the web site mirrors (but keeping download
files bing mirrored) and thus I've changed the URL in the cookiejar header
  to no longer use curlm.haxx.se but instead use the main site curl.haxx.se
2008-08-28 11:35:54 +00:00
Daniel Stenberg
a62e155ca4 - Niklas Angebrand made the cookie support in libcurl properly deal with the
"HttpOnly" feature introduced by Microsoft and apparently also supported by
  Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
  is now supported when received from servers in HTTP headers, when written to
  cookie jars and when read from existing cookie jars.
2008-01-31 12:21:57 +00:00
Dan Fandrich
05e4a3026d Replaced 127.0.0.1 with %HOSTIP where possible 2007-09-14 19:32:31 +00:00
Dan Fandrich
19631f5d5f Force the time zone to GMT in the cookie tests in case the user is
using one of the so-called 'right' time zones that take into account
leap seconds, which causes the tests to fail (as reported by
Daniel Black in bug report #1745964).
2007-07-10 22:27:16 +00:00
Yang Tse
9b6474378a Year 2038 has its own problems (32 bit integer overflow).
So cookie expiration date is lowered to expire at most in 2035.
2007-02-05 02:38:25 +00:00
Yang Tse
401598c2fe more fixes for the testsuite cookie expiration issue 2007-02-02 01:05:50 +00:00
Yang Tse
d60848d04b cookie expiration time got us with pants at our knees.
Next time in 2038 :-)
2007-02-02 00:10:40 +00:00
Dan Fandrich
33bea767eb Convert (most of) the test data files into genuine XML. A handful still
are not, due mainly to the lack of support for XML character entities
(e.g. & => &amp; ).  This will make it easier to validate test files using
tools like xmllint, as well as edit and view them using XML tools.
2007-01-23 02:25:56 +00:00
Daniel Stenberg
68e9f75708 As reported in bug: #1566077 the former URL mentioned in the generated cookie
jar has died and we now instead point out our own version of that
2006-09-27 21:00:45 +00:00
Daniel Stenberg
5d9fc28fa7 Modified the default HTTP headers used by libcurl:
A) Normal non-proxy HTTP:

 - no more "Pragma: no-cache" (this only makes sense to proxies)

B) Non-CONNECT HTTP request over proxy:

 - "Pragma: no-cache" is used (like before)
 - "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)

C) CONNECT HTTP request over proxy:

 - "Host: [name]:[port]"
 - "Proxy-Connection: Keep-alive"
2005-05-11 09:52:59 +00:00
Daniel Stenberg
63621bae81 Set mode text on the section that is written by curl in text mode, to allow
the runtests.pl to check this differently on operating systems that
differentiate on this.
2005-04-28 21:07:07 +00:00
Daniel Stenberg
53280a196b keywords added 2005-04-16 23:15:19 +00:00
Daniel Stenberg
f2e71edcbd A minor "syntax error" in numerous test files corrected 2005-01-25 21:45:03 +00:00
Daniel Stenberg
ca52c963c7 1. cookie expire-strings MUST use GMT timezones
2. adjusted date strings to upcoming date parser rewrite
2004-09-11 19:12:37 +00:00
Daniel Stenberg
2b1673c9c8 Now the test servers and test cases can run on a custom port number. There's
no fixed port numbers in use anymore. Starting now, the default ports the
servers use are 8990 - 8993. There's no option to modify these yet, but
changing the $base option in the top of the runtests.pl script.
2004-09-08 08:08:38 +00:00
Daniel Stenberg
93e32e6f62 Modified the default HTTP Accept: header to only be Accept: */* 2004-02-09 12:46:41 +00:00
Daniel Stenberg
c50a601f1a modified to work fine with the new persistant connection working test suite
HTTP server
2003-07-19 23:57:08 +00:00
Daniel Stenberg
ee29dbdb8f Each test case now specifies which server(s) it needs, without relying on the
test number.
2003-04-30 20:25:39 +00:00
Daniel Stenberg
26afc604ac modified to work with modified code 2003-04-30 17:16:25 +00:00
Daniel Stenberg
69f6d14b81 extended and improved cookie testing 2002-07-29 22:21:37 +00:00
Daniel Stenberg
ca161737bc use the correct time in the cookie jar 2002-02-27 07:41:46 +00:00
Daniel Stenberg
ff291eee48 new field1 functionality testing too 2002-02-26 13:18:39 +00:00
Daniel Stenberg
634760cbdc test 31: "HTTP with weirdly formatted cookies and cookiejar storage" 2002-02-26 13:09:46 +00:00