summaryrefslogtreecommitdiff
path: root/lib/cookie.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-03-10 11:20:56 +0100
committerDaniel Stenberg <daniel@haxx.se>2016-03-10 11:26:12 +0100
commit7f7fcd0d756416b0a146b6f34a899e59456b2c17 (patch)
tree2bff1f9a5d478722dfc7caca1ed0260378482a3b /lib/cookie.c
parent4d4ce84bb3eccbf9c249f1a43fa79fb9ba14a29b (diff)
downloadcurl-7f7fcd0d756416b0a146b6f34a899e59456b2c17.tar.gz
cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters. libcurl previously had a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft. The previous logic read all n/v pairs from left-to-right and the first name used that wassn't a known parameter name would be used as the cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be a cookie named 'person' while an RFC 6265 compliant parser should consider that to be a cookie named 'Max-Age' with an (unknown) parameter 'person'. Fixes #709
Diffstat (limited to 'lib/cookie.c')
-rw-r--r--lib/cookie.c19
1 files changed, 10 insertions, 9 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index de871b75e..1f2239242 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -456,7 +456,16 @@ Curl_cookie_add(struct SessionHandle *data,
while(*whatptr && ISBLANK(*whatptr))
whatptr++;
- if(!len) {
+ if(!co->name && sep) {
+ /* The very first name/value pair is the actual cookie name */
+ co->name = strdup(name);
+ co->value = strdup(whatptr);
+ if(!co->name || !co->value) {
+ badcookie = TRUE;
+ break;
+ }
+ }
+ else if(!len) {
/* this was a "<name>=" with no content, and we must allow
'secure' and 'httponly' specified this weirdly */
done = TRUE;
@@ -550,14 +559,6 @@ Curl_cookie_add(struct SessionHandle *data,
break;
}
}
- else if(!co->name) {
- co->name = strdup(name);
- co->value = strdup(whatptr);
- if(!co->name || !co->value) {
- badcookie = TRUE;
- break;
- }
- }
/*
else this is the second (or more) name we don't know
about! */