RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.
libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.
The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.
Fixes #709
while(*whatptr && ISBLANK(*whatptr))
whatptr++;
- if(!len) {
+ if(!co->name && sep) {
+ /* The very first name/value pair is the actual cookie name */
+ co->name = strdup(name);
+ co->value = strdup(whatptr);
+ if(!co->name || !co->value) {
+ badcookie = TRUE;
+ break;
+ }
+ }
+ else if(!len) {
/* this was a "<name>=" with no content, and we must allow
'secure' and 'httponly' specified this weirdly */
done = TRUE;
break;
}
}
- else if(!co->name) {
- co->name = strdup(name);
- co->value = strdup(whatptr);
- if(!co->name || !co->value) {
- badcookie = TRUE;
- break;
- }
- }
/*
else this is the second (or more) name we don't know
about! */
<data>
HTTP/1.1 200 OK
Date: Tue, 25 Sep 2001 19:37:44 GMT
-Set-Cookie: domain=.example.fake; bug=fixed;
+Set-Cookie: bug=fixed; domain=.example.fake;
Content-Length: 21\r
This server says moo
<data>
HTTP/1.1 200 Mooo swsclose
Connection: close
-Set-Cookie: path=/; thewinneris=nowayyouwin;
+Set-Cookie: thewinneris=nowayyouwin; path=/;
Content-Length: 8
*flopp*
projects / curl / commitdiff