curl doesn't update cookie file

[bagder]

Discussed in #10117

^{Originally posted by BratSinot December 19, 2022}
Greetings!

I have some file with cookie and I want curl to use that file and update it with new cookies from response. I try to use this:

curl \
  -b cookie.sub \
  -c cookie.sub \
  -d "$(jq -rc --arg ID "$ID" '.[0].id = $ID' json/handshake.json)" \
  -H 'Content-Type: application/json' \
  '[::1]:8017/notifications' |
  jq -r '.[0].clientId'

but curl ignores set-cookies from response (response have set-cookies, I check it through Wireshark). How can I overcome this behaviour?

cookie.sub:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_::1	FALSE	/notifications/	FALSE	0	<manual set cookie name>	<cookie value>

Curl version:

✗ curl --version
curl 7.85.0 (x86_64-apple-darwin22.0) libcurl/7.85.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.47.0
Release-Date: 2022-08-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets
```</div>

[BratSinot]

wireshark.pcapng.txt

Also here is minimal reproducible example:
http.go:

package main

import (
	"fmt"
	"net/http"
)

func helloHandler(w http.ResponseWriter, req *http.Request) {
	// set cookie for storing token
	cookie := &http.Cookie {
	    Name: "name1",
	    Value: "Value1",
	    Secure: true,
	    HttpOnly: true,
	}
	http.SetCookie(w, cookie)

    fmt.Printf("Got cookies: `%v`\n", req.Cookies())

	fmt.Fprintf(w, "Hello World!\n")
}

func main() {
    fmt.Println(":1025")

	http.HandleFunc("/notifications", helloHandler)
	http.ListenAndServe(":1025", nil)
}

cookie.txt:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_::1	FALSE	/notifications	FALSE	0	name0	value0

curl:

➜  curl_cookie curl -vvv -b cookie.txt -c cookie.txt '[::1]:1025/notifications'
*   Trying [::1]:1025...
* Connected to ::1 (::1) port 1025 (#0)
> GET /notifications HTTP/1.1
> Host: [::1]:1025
> User-Agent: curl/7.86.0
> Accept: */*
> Cookie: name0=value0
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Set-Cookie: name1=Value1; Path=/notifications; HttpOnly; Secure
< Date: Tue, 20 Dec 2022 08:37:36 GMT
< Content-Length: 13
< Content-Type: text/plain; charset=utf-8
<
Hello World!
* Connection #0 to host ::1 left intac

http.go:

➜  curl_cookie go run ./http.go
:1025
Got cookies: `[name0=value0]`

And cookie.txt doesn't change.
I also upgrade curl:

➜  curl_cookie curl --version
curl 7.86.0 (x86_64-apple-darwin22.1.0) libcurl/7.86.0 (SecureTransport) OpenSSL/1.1.1s zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 libssh2/1.10.0 nghttp2/1.51.0 librtmp/2.3
Release-Date: 2022-10-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

I've also checked it in golang:1.19.4-bullseye docker container (to get rid of possibility what it MacOS doing something wrong), still no cookies.

[bagder]

The bug is that curl checks for the host name [::1] while it is stored as ::1 and therefore wrongly does not consider it to be a "secure context". Tentative fix in #10121