Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Tabs in cookie names and values
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 13 Oct 2022 23:03:12 +0200 (CEST)
Hi,
I've been struggling on how to make curl handle tabs in cookie names and
values. Right now they cause problems when they are saved to file so we need
to do *something.
The two options we have are basically
A - escape them in the file
B - reject them them on arrival
The popular browesers are all over the place when it comes to handling these
cookies, and it is impossible to interoperate with tabs in them like this.
The cookie spec RFC 6265 is over ten years old and from my reading it allows
clients to accept "embedded" tabs.
The team working on updating the cookie spec, called rfc6265bis, have in a
surprising move decided to change wording in the pending update which more
clearly than before encourages clients to support tabs in names and content. I
have expressed my dislike to such a move and instead advocate that we should
just make it clear that tabs SHOULD NOT be allowed - since they clearly do not
interoperate anyway after cookies have been around for many decades.
Still, there's a pending release approach and we need to decide how to act
short-term and long-term.
My thinking:
We start out with (A), we reject such cookies starting next release. This
avoids the problem with saving to files and cookies with content like this is
bound to be very rare as they do not interoperate between clients.
If the rfc6265bis wording stays and browsers truly change direction in a
future and allow tabs more than they have done up until today, then we can
take a new decision and then maybe adopt method (B).
Method A: https://github.com/curl/curl/pull/9659
Method B: https://github.com/curl/curl/pull/9662
Thoughts?
Date: Thu, 13 Oct 2022 23:03:12 +0200 (CEST)
Hi,
I've been struggling on how to make curl handle tabs in cookie names and
values. Right now they cause problems when they are saved to file so we need
to do *something.
The two options we have are basically
A - escape them in the file
B - reject them them on arrival
The popular browesers are all over the place when it comes to handling these
cookies, and it is impossible to interoperate with tabs in them like this.
The cookie spec RFC 6265 is over ten years old and from my reading it allows
clients to accept "embedded" tabs.
The team working on updating the cookie spec, called rfc6265bis, have in a
surprising move decided to change wording in the pending update which more
clearly than before encourages clients to support tabs in names and content. I
have expressed my dislike to such a move and instead advocate that we should
just make it clear that tabs SHOULD NOT be allowed - since they clearly do not
interoperate anyway after cookies have been around for many decades.
Still, there's a pending release approach and we need to decide how to act
short-term and long-term.
My thinking:
We start out with (A), we reject such cookies starting next release. This
avoids the problem with saving to files and cookies with content like this is
bound to be very rare as they do not interoperate between clients.
If the rfc6265bis wording stays and browsers truly change direction in a
future and allow tabs more than they have done up until today, then we can
take a new decision and then maybe adopt method (B).
Method A: https://github.com/curl/curl/pull/9659
Method B: https://github.com/curl/curl/pull/9662
Thoughts?
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-10-13