-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Curl cookie handling bug with spaces #195
Comments
from IRC #curlusers |
The following patch fixes this for me (but probably breaks the test suite and maybe some actual real things as well):
From looking at the code, I think it worked before 7c21c1c (I can't easily test, autoconf issues with older builds). The code that's supposed to strip such whitespace is still there, so I assume the intent is to still support such whitespace. |
Thanks, I'll write up a test case (or perhaps amend an existing) for this to first repeat it and then make sure it verifies the fix - while not breaking any existing test! |
Unfortunately, only this patch is not enough. It breaks test 31. I'll work on a minor improvement. |
"name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: #195 Reported-by: cromestant Help-by: Frank Gevaerts
Please try out this version. The fix is very similar to @gevaerts', and I also extended the test case to make sure it works with a name with a trailing space. |
Presumed to be fixed, closing this issue! |
I can confirm upon building and testing that the issue is resolved. |
Thanks for confirming |
From reading the cookie grammar in RFC 6265, it appears that whitespace is not allowed around the "=" sign, or within the value. Should Curl be accepting invalid cookies, or emitting a warning or error when it encounters an invalid formatted cookie? |
I might be minterpreting this, but I see set-cookie-string = cookie-pair *( ";" SP cookie-av ) so cookie pair: cookie-pair = cookie-name "=" cookie-value cookie name is defined as token which is defined in which clearly includes spaces and cookie value is defined as cookie octed with and without double quotes. cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E So in looking at it I do see whitepaces as valid... On Tue, Apr 14, 2015 at 9:47 AM, Mark Stosberg notifications@github.com
MSc. Charles M. Romestant F. Merci de penser à l'environnement avant d'imprimer cet e-mail |
emphasis on whitepsace in cookie-octet added by my gmail sending.. sorryabout that |
As you posted above, the cookie-octet is to contain: "US-ASCII characters excluding CTLs, whitespace DQUOTE, comma, semicolon, and backslash". I read that as excluding whitespace in the cookie values. |
The Mozilla Cookie Documentation is also clear that unencoded whitespace is now allowed in cookies. (Search for "white" on that page). |
I agree, I misread, Attributes (names) (attr) are case-insensitive. White space is "white spaces are permitted between tokens" which if looking at the av-pair = attr ["=" value] ; optional value value = token | quoted-string could mean that between the name and = and value... as name and value In the end the thing that preocupies me the most:
=> we could break compatibility with this So I 'd say leaving it in even though it is not "proper". [1] Chromium code has this function: void ParseRequestCookieLine(const std::string& header_value,
On Tue, Apr 14, 2015 at 10:39 AM, Mark Stosberg notifications@github.com
MSc. Charles M. Romestant F. Merci de penser à l'environnement avant d'imprimer cet e-mail |
"CURL's doc" as mentioned there is not at all curl's doc, it is the original Netscape spec for cookies and we use that only as a historic reference now (we host it only because the original hosting place went away and it would otherwise be gone). We have RFC 6265 to follow these days. I believe we now do like the browsers do. RFC 2965 is not a spec anyone follows, and curl doesn't either. Ignore that. |
Great discussion, but what is the "official" policy on this in the end? On Wed, Apr 15, 2015 at 2:48 PM, Daniel Stenberg notifications@github.com
MSc. Charles M. Romestant F. Merci de penser à l'environnement avant d'imprimer cet e-mail |
The policy is to A) follow the spec but also to B) do how "the others" do it - for maximum compatibility. Like the browsers. And they should all adhere to RFC 6265. We don't really have warnings in libcurl. |
great! On Wed, Apr 15, 2015 at 3:10 PM, Daniel Stenberg notifications@github.com
MSc. Charles M. Romestant F. Merci de penser à l'environnement avant d'imprimer cet e-mail |
"name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: curl#195 Reported-by: cromestant Help-by: Frank Gevaerts
Hello,
I just ran into a wonky behavior in curl 's cookie handling when spaces exist in the cookie:
here is a gist with the trace:https://gist.github.com/cromestant/9452ad9912c27882867c
to reproduce I created two PHP files
//cookie.php
and
//cookies2.php
the only difference is the space in the cookie name=value .
I looked at the RFC and it seems like a valid cookie header.
If you curl it and use a cookie jar you will see that cookie 2 does not set the value
you can test here:
http://test dot tigocloud dot net slash cookie.php
and cookie2.php
The text was updated successfully, but these errors were encountered: