Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl doesn't update cookie file #10120

Closed
bagder opened this issue Dec 20, 2022 Discussed in #10117 · 2 comments
Closed

curl doesn't update cookie file #10120

bagder opened this issue Dec 20, 2022 Discussed in #10117 · 2 comments
Labels
cookies

Comments

@bagder
Copy link
Member

bagder commented Dec 20, 2022

Discussed in #10117

Originally posted by BratSinot December 19, 2022
Greetings!

I have some file with cookie and I want curl to use that file and update it with new cookies from response. I try to use this:

curl \
  -b cookie.sub \
  -c cookie.sub \
  -d "$(jq -rc --arg ID "$ID" '.[0].id = $ID' json/handshake.json)" \
  -H 'Content-Type: application/json' \
  '[::1]:8017/notifications' |
  jq -r '.[0].clientId'

but curl ignores set-cookies from response (response have set-cookies, I check it through Wireshark). How can I overcome this behaviour?

cookie.sub:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_::1	FALSE	/notifications/	FALSE	0	<manual set cookie name>	<cookie value>

Curl version:

✗ curl --version
curl 7.85.0 (x86_64-apple-darwin22.0) libcurl/7.85.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.47.0
Release-Date: 2022-08-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets
```</div>
@bagder bagder added the cookies label Dec 20, 2022
bagder added a commit that referenced this issue Dec 20, 2022
@bagder
http: fix the ::1 comparison for IPv6 localhost for cookies
4606f79 
When checking if there is a "secure context", which it is if the
connection is to localhost even if the protocol is HTTP, the comparison
for ::1 was done incorrectly and included brackets.

Reported-by: BratSinot on github

Fixes #10120
@bagder bagder mentioned this issue Dec 20, 2022
Closed
@BratSinot
Copy link

BratSinot commented Dec 20, 2022
edited

wireshark.pcapng.txt

Also here is minimal reproducible example:
http.go:

package main

import (
	"fmt"
	"net/http"
)

func helloHandler(w http.ResponseWriter, req *http.Request) {
	// set cookie for storing token
	cookie := &http.Cookie {
	    Name: "name1",
	    Value: "Value1",
	    Secure: true,
	    HttpOnly: true,
	}
	http.SetCookie(w, cookie)

    fmt.Printf("Got cookies: `%v`\n", req.Cookies())

	fmt.Fprintf(w, "Hello World!\n")
}

func main() {
    fmt.Println(":1025")

	http.HandleFunc("/notifications", helloHandler)
	http.ListenAndServe(":1025", nil)
}

cookie.txt:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_::1	FALSE	/notifications	FALSE	0	name0	value0

curl:

➜  curl_cookie curl -vvv -b cookie.txt -c cookie.txt '[::1]:1025/notifications'
*   Trying [::1]:1025...
* Connected to ::1 (::1) port 1025 (#0)
> GET /notifications HTTP/1.1
> Host: [::1]:1025
> User-Agent: curl/7.86.0
> Accept: */*
> Cookie: name0=value0
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Set-Cookie: name1=Value1; Path=/notifications; HttpOnly; Secure
< Date: Tue, 20 Dec 2022 08:37:36 GMT
< Content-Length: 13
< Content-Type: text/plain; charset=utf-8
<
Hello World!
* Connection #0 to host ::1 left intac

http.go:

➜  curl_cookie go run ./http.go
:1025
Got cookies: `[name0=value0]`

And cookie.txt doesn't change.
I also upgrade curl:

➜  curl_cookie curl --version
curl 7.86.0 (x86_64-apple-darwin22.1.0) libcurl/7.86.0 (SecureTransport) OpenSSL/1.1.1s zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.4 libssh2/1.10.0 nghttp2/1.51.0 librtmp/2.3
Release-Date: 2022-10-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

I've also checked it in golang:1.19.4-bullseye docker container (to get rid of possibility what it MacOS doing something wrong), still no cookies.

@bagder
Copy link
Member Author

bagder commented Dec 20, 2022

The bug is that curl checks for the host name [::1] while it is stored as ::1 and therefore wrongly does not consider it to be a "secure context". Tentative fix in #10121

@bagder bagder closed this as completed in 565d0ca Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cookies
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

http: fix the ::1 comparison for IPv6 localhost for cookies curl/curl
2 participants
@bagder @BratSinot