generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- Niklas Angebrand made the cookie support in libcurl properly deal with the

Browse Source 
"HttpOnly" feature introduced by Microsoft and apparently also supported by
  Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
  is now supported when received from servers in HTTP headers, when written to
  cookie jars and when read from existing cookie jars.
This commit is contained in:
Daniel Stenberg
2008-01-31 12:21:57 +00:00
parent b620e62f0f
commit a62e155ca4
6 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGES
View File

@@ -7,6 +7,14 @@
Changelog Changelog
Daniel S (31 Jan 2008) Daniel S (31 Jan 2008)
- Niklas Angebrand made the cookie support in libcurl properly deal with the
"HttpOnly" feature introduced by Microsoft and apparently also supported by
Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly
is now supported when received from servers in HTTP headers, when written to
cookie jars and when read from existing cookie jars.
I modified test case 31 and 46 to also do some basic HttpOnly testing.
- Dmitry Kurochkin moved several struct fields from the connectdata struct to - Dmitry Kurochkin moved several struct fields from the connectdata struct to
the SingleRequest one to make pipelining better. It is a bit tricky to keep the SingleRequest one to make pipelining better. It is a bit tricky to keep
them in the right place, to keep things related to the actual request or to them in the right place, to keep things related to the actual request or to

4
RELEASE-NOTES
View File

@@ -10,7 +10,7 @@ Curl and libcurl 7.18.1
This release includes the following changes: This release includes the following changes:
o o added support for HttpOnly cookies
This release includes the following bugfixes: This release includes the following bugfixes:
@@ -31,6 +31,6 @@ New curl mirrors:
This release would not have looked like this without help, code, reports and This release would not have looked like this without help, code, reports and
advice from friends like these: advice from friends like these:
Michal Marek, Dmitry Kurochkin Michal Marek, Dmitry Kurochkin, Niklas Angebrand
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)

21
lib/cookie.c
View File

@@ -367,8 +367,12 @@ Curl_cookie_add(struct SessionHandle *data,
else { else {
if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]", if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",
what)) { what)) {
if(strequal("secure", what)) if(strequal("secure", what)) {
co->secure = TRUE; co->secure = TRUE;
}
else if (strequal("httponly", what)) {
co->httponly = TRUE;
}
/* else, /* else,
unsupported keyword without assign! */ unsupported keyword without assign! */
@@ -433,6 +437,19 @@ Curl_cookie_add(struct SessionHandle *data,
char *tok_buf; char *tok_buf;
int fields; int fields;
/* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
marked with httpOnly after the domain name are not accessible
from javascripts, but since curl does not operate at javascript
level, we include them anyway. In Firefox's cookie files, these
lines are preceeded with #HttpOnly_ and then everything is
as usual, so we skip 10 characters of the line..
*/
if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {
lineptr += 10;
co->httponly = TRUE;
}
if(lineptr[0]=='#') { if(lineptr[0]=='#') {
/* don't even try the comments */ /* don't even try the comments */
free(co); free(co);
@@ -918,6 +935,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
static char *get_netscape_format(const struct Cookie *co) static char *get_netscape_format(const struct Cookie *co)
{ {
return aprintf( return aprintf(
"%s" /* httponly preamble */
"%s%s\t" /* domain */ "%s%s\t" /* domain */
"%s\t" /* tailmatch */ "%s\t" /* tailmatch */
"%s\t" /* path */ "%s\t" /* path */
@@ -925,6 +943,7 @@ static char *get_netscape_format(const struct Cookie *co)
"%" FORMAT_OFF_T "\t" /* expires */ "%" FORMAT_OFF_T "\t" /* expires */
"%s\t" /* name */ "%s\t" /* name */
"%s", /* value */ "%s", /* value */
co->httponly?"#HttpOnly_":"",
/* Make sure all domains are prefixed with a dot if they allow /* Make sure all domains are prefixed with a dot if they allow
tailmatching. This is Mozilla-style. */ tailmatching. This is Mozilla-style. */
(co->tailmatch && co->domain && co->domain[0] != '.')? ".":"", (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",

1
lib/cookie.h
View File

@@ -50,6 +50,7 @@ struct Cookie {
bool secure; /* whether the 'secure' keyword was used */ bool secure; /* whether the 'secure' keyword was used */
bool livecookie; /* updated from a server, not a stored file */ bool livecookie; /* updated from a server, not a stored file */
bool httponly; /* true if the httponly directive is present */
}; };
struct CookieInfo { struct CookieInfo {

2
tests/data/test31
View File

@@ -26,6 +26,7 @@ Set-Cookie: nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035
Set-Cookie: novalue; domain=reallysilly Set-Cookie: novalue; domain=reallysilly
Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: magic=yessir; path=/silly/; HttpOnly
boo boo
</data> </data>
@@ -69,6 +70,7 @@ Accept: */*
.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this .127.0.0.1 TRUE /silly/ FALSE 0 ismatch this
.127.0.0.1 TRUE / FALSE 0 partmatch present .127.0.0.1 TRUE / FALSE 0 partmatch present
127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
</file> </file>
</verify> </verify>
</testcase> </testcase>

4
tests/data/test46
View File

@@ -51,6 +51,7 @@ TZ=GMT
www.fake.come FALSE / FALSE 1022144953 cookiecliente si www.fake.come FALSE / FALSE 1022144953 cookiecliente si
www.loser.com FALSE / FALSE 1139150993 UID 99 www.loser.com FALSE / FALSE 1139150993 UID 99
%HOSTIP FALSE / FALSE 1439150993 mooo indeed %HOSTIP FALSE / FALSE 1439150993 mooo indeed
#HttpOnly_%HOSTIP FALSE / FALSE 1439150993 mooo2 indeed2
%HOSTIP FALSE / FALSE 0 empty %HOSTIP FALSE / FALSE 0 empty
</file> </file>
</client> </client>
@@ -64,7 +65,7 @@ www.loser.com FALSE / FALSE 1139150993 UID 99
GET /want/46 HTTP/1.1 GET /want/46 HTTP/1.1
Host: %HOSTIP:%HTTPPORT Host: %HOSTIP:%HTTPPORT
Accept: */* Accept: */*
Cookie: empty=; mooo=indeed Cookie: empty=; mooo2=indeed2; mooo=indeed
</protocol> </protocol>
<file name="log/jar46" mode="text"> <file name="log/jar46" mode="text">
@@ -75,6 +76,7 @@ Cookie: empty=; mooo=indeed
www.fake.come FALSE / FALSE 1022144953 cookiecliente si www.fake.come FALSE / FALSE 1022144953 cookiecliente si
www.loser.com FALSE / FALSE 1139150993 UID 99 www.loser.com FALSE / FALSE 1139150993 UID 99
%HOSTIP FALSE / FALSE 1439150993 mooo indeed %HOSTIP FALSE / FALSE 1439150993 mooo indeed
#HttpOnly_%HOSTIP FALSE / FALSE 1439150993 mooo2 indeed2
%HOSTIP FALSE / FALSE 0 empty %HOSTIP FALSE / FALSE 0 empty
%HOSTIP FALSE / FALSE 2054030187 ckyPersistent permanent %HOSTIP FALSE / FALSE 2054030187 ckyPersistent permanent
%HOSTIP FALSE / FALSE 0 ckySession temporary %HOSTIP FALSE / FALSE 0 ckySession temporary