summaryrefslogtreecommitdiff
path: root/lib/cookie.c
Commit message (Collapse)AuthorAgeFilesLines
* cppcheck: fix warningsMarian Klymov2018-06-111-4/+3
| | | | | | | | | | | | | - Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
* strictness: correct {infof, failf} format specifiersRikard Falkeborn2018-05-311-1/+1
| | | | Closes #2623
* psl: use latest psl and refresh it periodicallyPatrick Monnerat2018-05-281-22/+23
| | | | | | | | | | | The latest psl is cached in the multi or share handle. It is refreshed before use after 72 hours. New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. If the latest psl is not available, the builtin psl is used. Reported-by: Yaakov Selkowitz Fixes #2553 Closes #2601
* cookies: do not take cookie name as a parameterPatrick Monnerat2018-05-131-1/+7
| | | | | | | | | | | | RFC 6265 section 4.2.1 does not set restrictions on cookie names. This is a follow-up to commit 7f7fcd0. Also explicitly check proper syntax of cookie name/value pair. New test 1155 checks that cookie names are not reserved words. Reported-By: anshnd at github Fixes #2564 Closes #2566
* cookies: ensure that we have cookies before writing jarDaniel Gustafsson2018-04-251-0/+4
| | | | | | | The jar should be written iff there are cookies, so ensure that we still have cookies after expiration to avoid creating an empty file. Closes #2529
* hash: calculate sizes with size_t instead of longsDaniel Stenberg2018-04-061-2/+2
| | | | | | ... since they return size_t anyway! closes #2462
* cookie: case-insensitive hashing for the domainsLauri Kasanen2018-04-061-2/+17
| | | | closes #2458
* cookie: fix and optimize 2nd top level domain name extractionPatrick Monnerat2018-04-041-10/+7
| | | | | | | | | | | This fixes a segfault occurring when a name of the (invalid) form "domain..tld" is processed. test46 updated to cover this case. Follow-up to commit c990ead. Ref: https://github.com/curl/curl/pull/2440
* cookie: store cookies per top-level-domain-specific hash tableLauri Kasanen2018-04-021-86/+154
| | | | | | This makes libcurl handle thousands of cookies much better and speedier. Closes #2440
* cookies: when reading from a file, only remove_expired onceLauri Kasanen2018-04-021-2/+5
| | | | | | This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
* cookies: remove verbose "cookie size:" outputDaniel Stenberg2018-01-251-4/+1
| | | | | It was once used for some debugging/verifying logic but should never have ended up in git!
* cookie: avoid NULL dereferenceDaniel Stenberg2017-10-311-1/+1
| | | | | | | | ... when expiring old cookies. Reported-by: Pavel Gushchin Fixes #2032 Closes #2035
* cookie: fix memory leak if path was set twice in headerDaniel Stenberg2017-09-301-0/+1
| | | | | | | | | | ... this will let the second occurance override the first. Added test 1161 to verify. Reported-by: Max Dymond Fixes #1932 Closes #1933
* cookie: fix memory leak on oversized rejectionDaniel Stenberg2017-09-291-1/+1
| | | | | | | | | Regression brought by 2bc230de63b Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 Assisted-by: Max Dymond Closes #1930
* cookies: use lock when using CURLINFO_COOKIELISTPavel P2017-09-191-1/+10
| | | | Closes #1896
* cookies: reject oversized cookiesDaniel Stenberg2017-09-181-7/+20
| | | | | | | | | | | | | | | | | | ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894
* code style: use spaces around plusesDaniel Stenberg2017-09-111-5/+5
|
* code style: use spaces around equals signsDaniel Stenberg2017-09-111-38/+38
|
* strtoofft: reduce integer overflow risks globallyDaniel Stenberg2017-08-141-8/+15
| | | | | | | ... make sure we bail out on overflows. Reported-by: Brian Carpenter Closes #1758
* Improve code readbilitySylvestre Ledru2017-03-131-3/+2
| | | | | | ... by removing the else branch after a return, break or continue. Closes #1310
* cookie: fix declaration of 'dup' shadows a global declarationDaniel Stenberg2017-02-211-11/+11
|
* cookies: do not assume a valid domain has a dotDaniel Stenberg2017-01-271-7/+16
| | | | | | | | | | | This repairs cookies for localhost. Non-PSL builds will now only accept "localhost" without dots, while PSL builds okeys everything not listed as PSL. Added test 1258 to verify. This was a regression brought in a76825a5efa6b4
* checksrc: warn for assignments within if() expressionsDaniel Stenberg2016-12-141-2/+2
| | | | | ... they're already frowned upon in our source code style guide, this now enforces the rule harder.
* checksrc: code style: use 'char *name' styleDaniel Stenberg2016-11-241-3/+3
|
* cookie: replace use of fgets() with custom versionDaniel Stenberg2016-10-311-1/+30
| | | | | | | | | ... that will ignore lines that are too long to fit in the buffer. CVE-2016-8615 Bug: https://curl.haxx.se/docs/adv_20161102A.html Reported-by: Cure53
* strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg2016-10-311-15/+15
| | | | | We had some confusions on when each function was used. We should not act differently on different locales anyway.
* strcasecompare: is the new name for strequal()Daniel Stenberg2016-10-311-3/+2
| | | | | | | ... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
* cookies: getlist() now holds deep copies of all cookiesDaniel Stenberg2016-10-311-21/+40
| | | | | | | | | | | Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
* cookies: same domain handling changed to match browser behaviorSergei Kuzmin2016-10-031-1/+2
| | | | | | | | | | | | | | Cokie with the same domain but different tailmatching property are now considered different and do not replace each other. If header contains following lines then two cookies will be set: Set-Cookie: foo=bar; domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz; domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 This matches Chrome, Opera, Safari, and Firefox behavior. When sending stored tokens to foo.com Chrome, Opera, Firefox store send them in the stored order, while Safari pre-sort the cookies. Closes #1050
* cookie.c: Fix misleading indentationViktor Szakats2016-07-131-1/+1
| | | | Closes https://github.com/curl/curl/pull/911
* internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg2016-06-221-7/+7
|
* lib: include curl_printf.h as one of the last headersDaniel Stenberg2016-04-291-2/+2
| | | | | | | | | | | | | | | | | | | | curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
* cookies: first n/v pair in Set-Cookie: is the cookie, then parametersDaniel Stenberg2016-03-101-9/+10
| | | | | | | | | | | | | | | | | | | RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters. libcurl previously had a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft. The previous logic read all n/v pairs from left-to-right and the first name used that wassn't a known parameter name would be used as the cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be a cookie named 'person' while an RFC 6265 compliant parser should consider that to be a cookie named 'Max-Age' with an (unknown) parameter 'person'. Fixes #709
* cookie: do not refuse cookies for localhostTim Rühsen2016-03-081-4/+6
| | | | Closes #658
* cookie: Don't expire session cookies in remove_expiredJay Satiro2016-03-051-1/+1
| | | | | | | | Prior to this change cookies with an expiry date that failed parsing and were converted to session cookies could be purged in remove_expired. Bug: https://github.com/curl/curl/issues/697 Reported-by: Seth Mos
* cookie: remove redundant checkDaniel Stenberg2016-03-031-18/+15
| | | | | | | ... as it was already checked previously within the function. Reported-by: Dmitry-Me Closes #695
* cookies: allow spaces in cookie names, cut of trailing spacesDaniel Stenberg2016-02-081-7/+16
| | | | | | | | | | | | It turns out Firefox and Chrome both allow spaces in cookie names and there are sites out there using that. Turned out the code meant to strip off trailing space from cookie names didn't work. Fixed now. Test case 8 modified to verify both these changes. Closes #639
* URLs: change all http:// URLs to https://Daniel Stenberg2016-02-031-2/+2
|
* cookies: Add support for Mozilla's Publix Suffix ListTim Rühsen2015-10-171-0/+21
| | | | | | | | | | | | Use libpsl to check the domain value of Set-Cookie headers (and cookie jar entries) for not being a Publix Suffix. The configure script checks for "libpsl" by default. Disable the check with --without-libpsl. Ref: https://publicsuffix.org/ Ref: https://github.com/publicsuffix/list Ref: https://github.com/rockdaboot/libpsl
* cookie: Fix bug in export if any-domain cookie is presentJay Satiro2015-06-181-7/+2
| | | | | | | | | In 3013bb6 I had changed cookie export to ignore any-domain cookies, however the logic I used to do so was incorrect, and would lead to a busy loop in the case of exporting a cookie list that contained any-domain cookies. The result of that is worse though, because in that case the other cookies would not be written resulting in an empty file once the application is terminated to stop the busy loop.
* cookie: Stop exporting any-domain cookiesJay Satiro2015-06-031-1/+4
| | | | | | | Prior to this change any-domain cookies (cookies without a domain that are sent to any domain) were exported with domain name "unknown". Bug: https://github.com/bagder/curl/issues/292
* curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro2015-06-011-2/+2
| | | | | | | | | | | | | | | | | - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
* cookie: cookie parser out of boundary memory accessDaniel Stenberg2015-04-211-5/+7
| | | | | | | | | | | | | | The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
* cookie: handle spaces after the name in Set-CookieDaniel Stenberg2015-04-011-1/+1
| | | | | | | | | | "name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: https://github.com/bagder/curl/issues/195 Reported-by: cromestant Help-by: Frank Gevaerts
* curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich2015-03-241-2/+2
| | | | | | | This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
* free: instead of Curl_safefree()Daniel Stenberg2015-03-161-1/+1
| | | | | | | | | | | | Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
* Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring2015-03-161-36/+17
| | | | | | | | | | | The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
* mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg2015-03-031-4/+2
| | | | | ... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
* cookies: Improved OOM handling in cookiesDan Fandrich2014-12-091-23/+48
| | | | | | This fixes the test 506 torture test. The internal cookie API really ought to be improved to separate cookie parsing errors (which may be ignored) with OOM errors (which should be fatal).
* cookie.c: Refactored cleanup code to simplifyDan Fandrich2014-12-071-25/+19
| | | | Also, fixed the outdated comments on the cookie API.
View Lorry Controller Status