Commit 7f7fcd0d authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

cookies: first n/v pair in Set-Cookie: is the cookie, then parameters 

RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.

libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.

The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.

Fixes #709
parent 4d4ce84b

lib/cookie.c

+10 −9
Original line number Diff line number Diff line
@@ -456,7 +456,16 @@ Curl_cookie_add(struct SessionHandle *data, 
        while(*whatptr && ISBLANK(*whatptr))

          whatptr++;



        if(!len) {

        if(!co->name && sep) {

          /* The very first name/value pair is the actual cookie name */

          co->name = strdup(name);

          co->value = strdup(whatptr);

          if(!co->name || !co->value) {

            badcookie = TRUE;

            break;

          }

        }

        else if(!len) {

          /* this was a "<name>=" with no content, and we must allow

             'secure' and 'httponly' specified this weirdly */

          done = TRUE;
@@ -550,14 +559,6 @@ Curl_cookie_add(struct SessionHandle *data, 
            break;

          }

        }

        else if(!co->name) {

          co->name = strdup(name);

          co->value = strdup(whatptr);

          if(!co->name || !co->value) {

            badcookie = TRUE;

            break;

          }

        }

        /*

          else this is the second (or more) name we don't know

          about! */

tests/data/test1218

+1 −1
Original line number Diff line number Diff line
@@ -14,7 +14,7 @@ cookies 
<data>

HTTP/1.1 200 OK

Date: Tue, 25 Sep 2001 19:37:44 GMT

Set-Cookie: domain=.example.fake; bug=fixed;

Set-Cookie: bug=fixed; domain=.example.fake;

Content-Length: 21



This server says moo

tests/data/test27

+1 −1
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ cookies 
<data>

HTTP/1.1 200 Mooo swsclose

Connection: close

Set-Cookie: path=/; thewinneris=nowayyouwin;

Set-Cookie: thewinneris=nowayyouwin; path=/;

Content-Length: 8



*flopp*