From f72a26d340fb675e03d21d7a86dbb5803cd18831 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 8 Sep 2008 11:36:19 +0000
Subject: [PATCH] - Stefan Krause pointed out that libcurl would wrongly send
away cookies to sites in cases where the cookie clearly has a very old
expiry date. The condition was simply that libcurl's date parser would fail
to convert the date and it would then count as a (timed-based) match.
Starting now, a missed date due to an unsupported date format or date range
will now cause the cookie to not match.
---
CHANGES | 8 ++++++++
RELEASE-NOTES | 3 ++-
lib/cookie.c | 18 +++++++++++-------
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/CHANGES b/CHANGES
index b53c9e0d6b..eb11cd91e0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,14 @@
Changelog
+Daniel Stenberg (8 Sep 2008)
+- Stefan Krause pointed out that libcurl would wrongly send away cookies to
+ sites in cases where the cookie clearly has a very old expiry date. The
+ condition was simply that libcurl's date parser would fail to convert the
+ date and it would then count as a (timed-based) match. Starting now, a
+ missed date due to an unsupported date format or date range will now cause
+ the cookie to not match.
+
Daniel Fandrich (5 Sep 2008)
- Improved the logic the decides whether to use HTTP 1.1 features or not in a
request. Setting a specific version with CURLOPT_HTTP_VERSION overrides
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index f96e060dca..3c4885dcb8 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
o MingW32 non-configure builds are now largefile feature enabled by default
o NetWare LIBC builds are now largefile feature enabled by default
o curl_easy_pause() could behave wrongly on unpause
+ o cookie with invalid expire dates are now considered expired
This release includes the following known bugs:
@@ -32,6 +33,6 @@ This release would not have looked like this without help, code, reports and
advice from friends like these:
Keith Mok, Yang Tse, Daniel Fandrich, Guenter Knauf, Dmitriy Sergeyev,
- Linus Nielsen Feltzing, Martin Drasar
+ Linus Nielsen Feltzing, Martin Drasar, Stefan Krause
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/cookie.c b/lib/cookie.c
index 59df3b64f5..ed541a12fd 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -338,7 +338,8 @@ Curl_cookie_add(struct SessionHandle *data,
break;
}
co->expires =
- atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) + (long)now;
+ atoi((*co->maxage=='\"')?&co->maxage[1]:&co->maxage[0]) +
+ (long)now;
}
else if(strequal("expires", name)) {
co->expirestr=strdup(whatptr);
@@ -346,6 +347,9 @@ Curl_cookie_add(struct SessionHandle *data,
badcookie = TRUE;
break;
}
+ /* Note that we store -1 in 'expires' here if the date couldn't
+ get parsed for whatever reason. This will have the effect that
+ the cookie won't match. */
co->expires = curl_getdate(what, &now);
}
else if(!co->name) {
@@ -437,10 +441,10 @@ Curl_cookie_add(struct SessionHandle *data,
char *tok_buf;
int fields;
- /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
- marked with httpOnly after the domain name are not accessible
- from javascripts, but since curl does not operate at javascript
- level, we include them anyway. In Firefox's cookie files, these
+ /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
+ marked with httpOnly after the domain name are not accessible
+ from javascripts, but since curl does not operate at javascript
+ level, we include them anyway. In Firefox's cookie files, these
lines are preceeded with #HttpOnly_ and then everything is
as usual, so we skip 10 characters of the line..
*/
@@ -753,7 +757,7 @@ struct CookieInfo *Curl_cookie_init(struct SessionHandle *data,
struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
const char *host, const char *path,
- bool secure)
+ bool secure)
{
struct Cookie *newco;
struct Cookie *co;
@@ -769,7 +773,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
/* only process this cookie if it is not expired or had no expire
date AND that if the cookie requires we're secure we must only
continue if we are! */
- if( (co->expires<=0 || (co->expires> now)) &&
+ if( (!co->expires || (co->expires > now)) &&
(co->secure?secure:TRUE) ) {
/* now check if the domain is correct */
--
GitLab