- Dima Barsky made the curl cookie parser accept cookies even with blank or (448d2b5f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		@@ -6,6 +6,13 @@

		Changelog

		Daniel Stenberg (25 Oct 2009)
		- Dima Barsky made the curl cookie parser accept cookies even with blank or
		unparsable expiry dates and then treat them as session cookies - previously
		libcurl would reject cookies with a date format it couldn't parse. Research
		shows that the major browser treat such cookies as session cookies. I
		modified test 8 and 31 to verify this.

		Daniel Stenberg (21 Oct 2009)
		- Attempt to use pkg-config for finding out libssh2 installation details
		during configure.

+2 −1

Original line number	Diff line number	Diff line
		@@ -41,6 +41,7 @@ This release includes the following bugfixes:
		o GSS negotiate infinite loop on bad credentials
		o memory leak in SCP/SFTP connections
		o use pkg-config to find out libssh2 installation details in configure
		o unparsable cookie expire dates make cookies get treated as session coookies

		This release includes the following known bugs:

		@@ -53,6 +54,6 @@ advice from friends like these:
		Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
		Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey,
		Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich,
		Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst
		Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky

		Thanks! (and sorry if I forgot to mention someone)

+4 −3

Original line number	Diff line number	Diff line
		@@ -363,9 +363,8 @@ Curl_cookie_add(struct SessionHandle *data,
		badcookie = TRUE;
		break;
		}
		/* Note that we store -1 in 'expires' here if the date couldn't
		get parsed for whatever reason. This will have the effect that
		the cookie won't match. */
		/* Note that if the date couldn't get parsed for whatever reason,
		the cookie will be treated as a session cookie */
		co->expires = curl_getdate(what, &now);

		/* Session cookies have expires set to 0 so if we get that back
		@@ -373,6 +372,8 @@ Curl_cookie_add(struct SessionHandle *data,
		non-session cookie */
		if (co->expires == 0)
		co->expires = 1;
		else if( co->expires < 0 )
		co->expires = 0;
		}
		else if(!co->name) {
		co->name = strdup(name);

+2 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,7 @@ Set-Cookie: novalue; domain=reallysilly
		Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
		Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
		Set-Cookie: magic=yessir; path=/silly/; HttpOnly
		Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;

		boo
		</data>
		@@ -71,6 +72,7 @@ Accept: /
		.127.0.0.1 TRUE / FALSE 0 partmatch present
		127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
		#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
		.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes
		</file>
		</verify>
		</testcase>

+2 −1

Original line number	Diff line number	Diff line
		@@ -41,6 +41,7 @@ Set-Cookie: partmatch=present; domain=.0.0.1; path=/;
		Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
		Set-Cookie: cookie=yes; path=/we;
		Set-Cookie: nocookie=yes; path=/WE;
		Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;

		</file>
		</client>
		@@ -54,7 +55,7 @@ Set-Cookie: nocookie=yes; path=/WE;
		GET /we/want/8 HTTP/1.1
		Host: %HOSTIP:%HTTPPORT
		Accept: /
		Cookie: cookie=yes; partmatch=present; foobar=name
		Cookie: blexp=yesyes; cookie=yes; partmatch=present; foobar=name

		</protocol>
		</verify>