cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2890369 ] cookie expires time parse and processing bug

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Sun, 01 Nov 2009 18:34:18 +0000

Bugs item #2890369, was opened at 2009-11-01 10:34
Message generated for change (Tracker Item Submitted) made by ivrom
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2890369&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: ivrom (ivrom)
Assigned to: Daniel Stenberg (bagder)
Summary: cookie expires time parse and processing bug

Initial Comment:
cURL version: up to the 7.19.6

In order to remove some specific cookie from the browser's (or curl) cookies list server may send to the client already expired cookie. libcurl improperly handles such cookie If server uses specific timestap "Thu, 01-Jan-1970 00:00:00 GMT". Example:

Set-Cookie: SomeCookie=blabla; domain=.some.domain.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/

Timestamp "Thu, 01-Jan-1970 00:00:00 GMT" is parsed by curl_getdate() to the time_t(0) and libcurl improperly treats this cookie as session one instead of expired.

File: cookie.c
line: 364-367
/* Note that we store -1 in 'expires' here if the date couldn't
  get parsed for whatever reason. This will have the effect that
   the cookie won't match. */
co->expires = curl_getdate(what, &now);

File: cookie.c
lines: 571-574
  if(!c->running && /* read from a file */
     c->newsession && /* clean session cookies */
     !co->expires) { /* this is a session cookie since it doesn't expire! */
    freecookie(co);

Possible solution: add extra special value "1" (expired) to the expiration time in addition to the values "-1" (invalid) and 0 (session cookie) so date "Thu, 01-Jan-1970 00:00:00 GMT" will be handled correctly as expired.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2890369&group_id=976
Received on 2009-11-01

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET