cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Cookie path matching case sensitivity

From: Ates Goral <Ates.Goral_at_genesyslab.com>
Date: Fri, 7 Jul 2006 16:01:08 -0700

Hi Daniel,

Thanks for the (always) prompt response!

Please see the attached patch (against 7.15.1). The fix has been tested
as follows:

1) Prior to the fix, with path case mismatch:

Request 1:
  GET /test/sub/set.php HTTP/1.0

Response 1:
  HTTP/1.1 200 OK
  Set-Cookie: MyCookie=foo; Path=/test/Su

Request 2:
  GET /test/sub/check.php HTTP/1.0
  Cookie: MyCookie=foo

  * WRONG *

2.1) After the fix, with path case mismatch:

Request 1:
  GET /test/sub/set.php HTTP/1.0

Response 1:
  HTTP/1.1 200 OK
  Set-Cookie: MyCookie=foo; Path=/test/Su

Request 2:
  GET /test/sub/check.php HTTP/1.0
  (No cookie header)

  * CORRECT *

2.2) After the fix, with path case match:

Request 1:
  GET /test/sub/set.php HTTP/1.0

Response 1:
  HTTP/1.1 200 OK
  Set-Cookie: MyCookie=foo; Path=/test/su

Request 2:
  GET /test/sub/check.php HTTP/1.0
  Cookie: MyCookie=foo

  * CORRECT *

Thanks,
Ates

-----Original Message-----
From: curl-library-bounces_at_cool.haxx.se
[mailto:curl-library-bounces_at_cool.haxx.se] On Behalf Of Daniel Stenberg
Sent: Friday, July 07, 2006 4:33 AM
To: libcurl development
Subject: Re: Cookie path matching case sensitivity

On Thu, 6 Jul 2006, Ates Goral wrote:

> cURL's cookie path matching seems to be case insensitive. Is this a
bug or a
> design decision?

I think it looks like a bug! Nice research.

> What does the cookie spec say about this?

The problem here is that "the cookie spec" that everyone still base
their
cookie works on is the old original Netscape document and it isn't very
detailed.

> Is it left to the implementation or is there a well defined standard
for
> this?

Later more detailed and properly documented RFCs for cookies, like RFC
2965
says (section 3.3.3)

   "the old and new Path attribute values string-compare equal
   (case-sensitive)."

You up to provide us with a patch that corrects this flaw?

-- 
  Commercial curl and libcurl Technical Support:
http://haxx.se/curl.html

Received on 2006-07-08