- Niklas Angebrand made the cookie support in libcurl properly deal with the

                                  Changelog

Daniel S (31 Jan 2008)

- Niklas Angebrand made the cookie support in libcurl properly deal with the

  "HttpOnly" feature introduced by Microsoft and apparently also supported by

  Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly

  is now supported when received from servers in HTTP headers, when written to

  cookie jars and when read from existing cookie jars.

  I modified test case 31 and 46 to also do some basic HttpOnly testing.

- Dmitry Kurochkin moved several struct fields from the connectdata struct to

  the SingleRequest one to make pipelining better. It is a bit tricky to keep

  them in the right place, to keep things related to the actual request or to

This release includes the following changes:

 o 

 o added support for HttpOnly cookies

This release includes the following bugfixes:

This release would not have looked like this without help, code, reports and

advice from friends like these:

 Michal Marek, Dmitry Kurochkin

 Michal Marek, Dmitry Kurochkin, Niklas Angebrand

        Thanks! (and sorry if I forgot to mention someone)

      else {

        if(sscanf(ptr, "%" MAX_COOKIE_LINE_TXT "[^;\r\n]",

                  what)) {

          if(strequal("secure", what))

          if(strequal("secure", what)) {

            co->secure = TRUE;

          }

          else if (strequal("httponly", what)) {

            co->httponly = TRUE;

          }

          /* else,

             unsupported keyword without assign! */

    char *tok_buf;

    int fields;

    /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies 

       marked with httpOnly after the domain name are not accessible  

       from javascripts, but since curl does not operate at javascript  

       level, we include them anyway. In Firefox's cookie files, these 

       lines are preceeded with #HttpOnly_ and then everything is

       as usual, so we skip 10 characters of the line..

    */

    if (strncmp(lineptr, "#HttpOnly_", 10) == 0) {

      lineptr += 10;

      co->httponly = TRUE;

    }

    if(lineptr[0]=='#') {

      /* don't even try the comments */

      free(co);

static char *get_netscape_format(const struct Cookie *co)

{

  return aprintf(

    "%s"     /* httponly preamble */

    "%s%s\t" /* domain */

    "%s\t"   /* tailmatch */

    "%s\t"   /* path */

    "%" FORMAT_OFF_T "\t"   /* expires */

    "%s\t"   /* name */

    "%s",    /* value */

    co->httponly?"#HttpOnly_":"",

    /* Make sure all domains are prefixed with a dot if they allow

       tailmatching. This is Mozilla-style. */

    (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",

  bool secure;       /* whether the 'secure' keyword was used */

  bool livecookie;   /* updated from a server, not a stored file */

  bool httponly;     /* true if the httponly directive is present */

};

struct CookieInfo {

Set-Cookie: novalue; domain=reallysilly

Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030

Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030

Set-Cookie: magic=yessir; path=/silly/; HttpOnly

boo

</data>

.127.0.0.1	TRUE	/silly/	FALSE	0	ismatch	this

.127.0.0.1	TRUE	/	FALSE	0	partmatch	present

127.0.0.1	FALSE	/we/want/	FALSE	2054030187	nodomain	value

#HttpOnly_127.0.0.1	FALSE	/silly/	FALSE	0	magic	yessir

</file>

</verify>

</testcase>