-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookies aren't saved for hostnames #3649
Comments
For non-PSL builds yes, as PSL builds already had that logic. Both cases now have stricter host name requirements than curl did back in the 7.40 days.
This is a lovely in-between case. The cookie specs are clearly moving towards making this sort of cookie illegal, as they tend to focus on how cookies (should) work on the big Internet. In this case we're talking cookies in a more closed environment. It's a tricky situation. I would love to be able to fix this without adding another option, but can we? |
Firefox and Chrome allow it. Is there a disadvantage of allowing hostname regardless of libpsl other than (I assume) some rfc violation? /cc @rockdaboot |
You mean they allow this dot-less name? Then we really should too!
Yes, it's a security thing. If "example.co.uk" can set a cookie for "co.uk", then that cookie will then also match "secrets.co.uk" etc. "co.uk" being a PSL. The RFC on this is actually really vague and PSL as a concept is weird and fragile, but that's the best there is right now... |
On a dot-less domain (in this case it is a hostname), the "prevailing star rule" of the PSL is applied. In the internet you normally want it for cookie checking, else you open up a security hole. But on local networks, you might not want it. So you can use The same for the I can currently not say if there is a way to automatically detect the environment. If there is no safe way, it smells for another curl option. |
It seems rather complicated to detect that in way that it will a) catch all the cases and b) be leakproof wrt cookie jars. If we add an option to this, then we need to make the option apply to PSL enabled builds too I would assume. (sorry for being slow to respond, travelling put me offline for a bit) |
That makes sense. Let me know how you name it (if it comes to that point). I would like to see something similar for wget/wget2. Can't hurt if the option names match. |
If you use curl with libpsl, you could also add your local domain/host name as exception in the used PSL file. |
We should support this without any extra options since the browsers do that. I can go to |
I noticed the bug is only present in non-PSL builds. I think I'll go with reverting 3773de3. PR coming up. |
This bug was introduced in 7.64.0. |
Are you sure this is only non-psl? The guy who reported it seems to be using libpsl/0.20.2 |
My new test case in #3659 worked fine with my PSL build when I tried it locally, and the commit I reverted to get it working on a non-PSL build was only affecting non-PSL. If the problem exists on a PSL build, then I suspect my test case isn't good enough. Unfortunately I don't think we have the full URL and its corresponding response headers to know for sure? |
For you information, I've noticed the problem using the latest version of MSYS2 which embeds curl 7.64.0. It seems that this curl was built with PSL feature as mentioned by the --version option: |
Then please detail the problem for us. The problem as I reproduced (and fixed) was not present in PSL builds. How do you reproduce it? |
Primarily, I would like to know the URL used and what the (cookie) response headers looked like that curl didn't accept. |
OK, as I already told, I use a binary version of curl embedded in MSYS2 (freely downloadable at https://www.msys2.org/). This binary is built with the features mentioned above.
Here is the file containing the cookies: Hope this helps, |
I turned that into a "real" issue: #3676 so that it gets the correct attention. |
I did this
Reported by @deepakhj in the offending PR and Pierre Brico in curl-users (the latter version below):
Note the host fronteo-keycloak-rmm is not a DNS name so what he's seeing is likely due to #2964 which "extended domain checks to non psl builds", namely such a hostname will be unable to set cookies.
I expected the following
Non-DNS cookies to be saved... maybe. I'm not sure if this is right or not.
curl/libcurl version
curl 7.64.0 (x86_64-pc-msys) libcurl/7.64.0 OpenSSL/1.1.1b zlib/1.2.11 brotli/1.0.7 libidn2/2.1.1 libpsl/0.20.2 (+libidn2/2.1.1) libssh2/1.8.0 nghttp2/1.36.0
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug TrackMemory IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink
operating system
Windows
/cc @danielgustafsson
The text was updated successfully, but these errors were encountered: