- Niklas Angebrand made the cookie support in libcurl properly deal with the
"HttpOnly" feature introduced by Microsoft and apparently also supported by Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly is now supported when received from servers in HTTP headers, when written to cookie jars and when read from existing cookie jars.
This commit is contained in:
parent
b620e62f0f
commit
a62e155ca4
8
CHANGES
8
CHANGES
@ -7,6 +7,14 @@
|
||||
Changelog
|
||||
|
||||
Daniel S (31 Jan 2008)
|
||||
- Niklas Angebrand made the cookie support in libcurl properly deal with the
|
||||
"HttpOnly" feature introduced by Microsoft and apparently also supported by
|
||||
Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
|
||||
is now supported when received from servers in HTTP headers, when written to
|
||||
cookie jars and when read from existing cookie jars.
|
||||
|
||||
I modified test case 31 and 46 to also do some basic HttpOnly testing.
|
||||
|
||||
- Dmitry Kurochkin moved several struct fields from the connectdata struct to
|
||||
the SingleRequest one to make pipelining better. It is a bit tricky to keep
|
||||
them in the right place, to keep things related to the actual request or to
|
||||
|
@ -10,7 +10,7 @@ Curl and libcurl 7.18.1
|
||||
|
||||
This release includes the following changes:
|
||||
|
||||
o
|
||||
o added support for HttpOnly cookies
|
||||
|
||||
This release includes the following bugfixes:
|
||||
|
||||
@ -31,6 +31,6 @@ New curl mirrors:
|
||||
This release would not have looked like this without help, code, reports and
|
||||
advice from friends like these:
|
||||
|
||||
Michal Marek, Dmitry Kurochkin
|
||||
Michal Marek, Dmitry Kurochkin, Niklas Angebrand
|
||||
|
||||
Thanks! (and sorry if I forgot to mention someone)
|
||||
|
21
lib/cookie.c
21
lib/cookie.c
@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data,
|
||||
else {
|
||||
if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",
|
||||
what)) {
|
||||
if(strequal("secure", what))
|
||||
if(strequal("secure", what)) {
|
||||
co->secure = TRUE;
|
||||
}
|
||||
else if (strequal("httponly", what)) {
|
||||
co->httponly = TRUE;
|
||||
}
|
||||
/* else,
|
||||
unsupported keyword without assign! */
|
||||
|
||||
@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data,
|
||||
char *tok_buf;
|
||||
int fields;
|
||||
|
||||
/* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
|
||||
marked with httpOnly after the domain name are not accessible
|
||||
from javascripts, but since curl does not operate at javascript
|
||||
level, we include them anyway. In Firefox's cookie files, these
|
||||
lines are preceeded with #HttpOnly_ and then everything is
|
||||
as usual, so we skip 10 characters of the line..
|
||||
*/
|
||||
if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {
|
||||
lineptr += 10;
|
||||
co->httponly = TRUE;
|
||||
}
|
||||
|
||||
|
||||
if(lineptr[0]=='#') {
|
||||
/* don't even try the comments */
|
||||
free(co);
|
||||
@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
|
||||
static char *get_netscape_format(const struct Cookie *co)
|
||||
{
|
||||
return aprintf(
|
||||
"%s" /* httponly preamble */
|
||||
"%s%s\t" /* domain */
|
||||
"%s\t" /* tailmatch */
|
||||
"%s\t" /* path */
|
||||
@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co)
|
||||
"%" FORMAT_OFF_T "\t" /* expires */
|
||||
"%s\t" /* name */
|
||||
"%s", /* value */
|
||||
co->httponly?"#HttpOnly_":"",
|
||||
/* Make sure all domains are prefixed with a dot if they allow
|
||||
tailmatching. This is Mozilla-style. */
|
||||
(co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
|
||||
|
@ -50,6 +50,7 @@ struct Cookie {
|
||||
|
||||
bool secure; /* whether the 'secure' keyword was used */
|
||||
bool livecookie; /* updated from a server, not a stored file */
|
||||
bool httponly; /* true if the httponly directive is present */
|
||||
};
|
||||
|
||||
struct CookieInfo {
|
||||
|
@ -26,6 +26,7 @@ Set-Cookie: nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035
|
||||
Set-Cookie: novalue; domain=reallysilly
|
||||
Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
|
||||
Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
|
||||
Set-Cookie: magic=yessir; path=/silly/; HttpOnly
|
||||
|
||||
boo
|
||||
</data>
|
||||
@ -69,6 +70,7 @@ Accept: */*
|
||||
.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this
|
||||
.127.0.0.1 TRUE / FALSE 0 partmatch present
|
||||
127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
|
||||
#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
|
||||
</file>
|
||||
</verify>
|
||||
</testcase>
|
||||
|
@ -51,6 +51,7 @@ TZ=GMT
|
||||
www.fake.come FALSE / FALSE 1022144953 cookiecliente si
|
||||
www.loser.com FALSE / FALSE 1139150993 UID 99
|
||||
%HOSTIP FALSE / FALSE 1439150993 mooo indeed
|
||||
#HttpOnly_%HOSTIP FALSE / FALSE 1439150993 mooo2 indeed2
|
||||
%HOSTIP FALSE / FALSE 0 empty
|
||||
</file>
|
||||
</client>
|
||||
@ -64,7 +65,7 @@ www.loser.com FALSE / FALSE 1139150993 UID 99
|
||||
GET /want/46 HTTP/1.1
|
||||
Host: %HOSTIP:%HTTPPORT
|
||||
Accept: */*
|
||||
Cookie: empty=; mooo=indeed
|
||||
Cookie: empty=; mooo2=indeed2; mooo=indeed
|
||||
|
||||
</protocol>
|
||||
<file name="log/jar46" mode="text">
|
||||
@ -75,6 +76,7 @@ Cookie: empty=; mooo=indeed
|
||||
www.fake.come FALSE / FALSE 1022144953 cookiecliente si
|
||||
www.loser.com FALSE / FALSE 1139150993 UID 99
|
||||
%HOSTIP FALSE / FALSE 1439150993 mooo indeed
|
||||
#HttpOnly_%HOSTIP FALSE / FALSE 1439150993 mooo2 indeed2
|
||||
%HOSTIP FALSE / FALSE 0 empty
|
||||
%HOSTIP FALSE / FALSE 2054030187 ckyPersistent permanent
|
||||
%HOSTIP FALSE / FALSE 0 ckySession temporary
|
||||
|
Loading…
Reference in New Issue
Block a user