David Cohen pointed out that RFC2109 says clients should allow cookies to (35558e6b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/cookie.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -149,7 +149,7 @@ Curl_cookie_add(struct SessionHandle *data,
		unless set */
		{
		struct Cookie *clist;
		char what[MAX_COOKIE_LINE];
		char *what;
		char name[MAX_NAME];
		char *ptr;
		char *semiptr;
		@@ -167,6 +167,13 @@ Curl_cookie_add(struct SessionHandle *data,
		if(httpheader) {
		/* This line was read off a HTTP-header */
		char *sep;

		what = malloc(MAX_COOKIE_LINE);
		if(!what) {
		free(co);
		return NULL;
		}

		semiptr=strchr(lineptr, ';'); /* first, find a semicolon */

		while(lineptr && isspace((int)lineptr))
		@@ -387,6 +394,8 @@ Curl_cookie_add(struct SessionHandle *data,
		}
		}

		free(what);

		if(badcookie \|\| !co->name) {
		/* we didn't get a cookie name or a bad one,
		this is an illegal line, bail out */

+19 −12

Original line number	Diff line number	Diff line
		@@ -60,13 +60,20 @@ struct CookieInfo {
		bool newsession; /* new session, discard session cookies on load */
		};

		/* This is the maximum line length we accept for a cookie line */
		#define MAX_COOKIE_LINE 2048
		#define MAX_COOKIE_LINE_TXT "2047"
		/* This is the maximum line length we accept for a cookie line. RFC 2109
		section 6.3 says:

		"at least 4096 bytes per cookie (as measured by the size of the characters
		that comprise the cookie non-terminal in the syntax description of the
		Set-Cookie header)"

		*/
		#define MAX_COOKIE_LINE 5000
		#define MAX_COOKIE_LINE_TXT "4999"

		/* This is the maximum length of a cookie name we deal with: */
		#define MAX_NAME 256
		#define MAX_NAME_TXT "255"
		#define MAX_NAME 1024
		#define MAX_NAME_TXT "1023"

		struct SessionHandle;
		/*