cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1494 Cookies Not Following Path Rules

From: Steve Corriere <scorriere_at_users.sf.net>
Date: Fri, 13 Mar 2015 15:11:43 +0000

Don't worry, I am wrong consistently. I changed the cookie around to have better syntax (Tabs between the fields). I am still seeing the same behavior, however. Based on <http://tools.ietf.org/html/rfc6265#section-5.1.4>, the partial path should have a '/' suffix. I have tried with this, but I don't believe that it changed anything.

    cat /tmp/broken_cookie
    # Netscape HTTP Cookie File
    # http://curl.haxx.se/docs/http-cookies.html
    # This file was generated by libcurl! Edit at your own risk.

    .example.com TRUE /foo/bar.html FALSE 2426364040 full_path 1=true
    .example.com TRUE /foo/ FALSE 2426364040 partial_path1 1=true
    .example.com TRUE /foo FALSE 2426364040 partial_path2 1=true
    .example.com TRUE / FALSE 2426364040 general_path 1=true
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foobar"
    * Trying 93.184.216.34...
      % Total % Received % Xferd Average Speed Time Time Time Current
                                     Dload Upload Total Spent Left Speed
      0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to www.example.com (93.184.216.34) port 80 (#0)
> GET /foobar HTTP/1.1
> User-Agent: curl/7.41.0
> Host: www.example.com
> Accept: */*
> Cookie: general_path 1=true=
>
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 15:10:31 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 15:10:31 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/15AB)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    <
    { [1270 bytes data]
    100 1270 100 1270 0 0 81020 0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact

---
** [bugs:#1494] Cookies Not Following Path Rules**
**Status:** open
**Labels:** cookies http 
**Created:** Fri Mar 13, 2015 12:34 PM UTC by Steve Corriere
**Last Updated:** Fri Mar 13, 2015 02:53 PM UTC
**Owner:** Daniel Stenberg
I do not believe that Curl is correctly following the path rules for cookies based on <http://curl.haxx.se/rfc/cookie_spec.html>.  Specifically, I do not think that it is following:
"The path "/foo" would match "/foobar" and "/foo/bar.html". The path "/" is the most general path."
In the following example, I would expect that we send the "partial_path" cookie in all requests.  Note that for the request to "http://www.example.com/foobar," we are missing this cookie, but we have the cookie for "/foo/bar.html."
I have seen the same behavior in version curl-7.37.0.  A really old data point, but I believe that the behavior followed the cookie spec back in curl 7.19.7.
If curl is not supposed to be following the cookie_spec page, my apologies.
    [scorriere_at_outrage src]$ cat /tmp/broken_cookie 
    # Netscape HTTP Cookie File
    # http://curl.haxx.se/docs/http-cookies.html
    # This file was generated by libcurl! Edit at your own risk.
    
    .example.com    TRUE    /foo/bar.html   FALSE   2426364040      full_path 1
    .example.com    TRUE    /foo            FALSE   2426364040      partial_path 1
    .example.com    TRUE    /               FALSE   2426364040      general_path 1
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foo"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foo HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: partial_path 1=; general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:27:53 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:27:53 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/144C)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  78696      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foobar"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foobar HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:27:59 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:27:59 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/15AB)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  78657      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foo/bar.html"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foo/bar.html HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: full_path 1=; partial_path 1=; general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:28:03 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:28:03 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/15CC)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  80242      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere_at_outrage src]$ 
**OS Version**
cat /etc/redhat-release 
CentOS Linux release 6.0 (Final)
[scorriere_at_outrage src]$ uname -a
Linux outrage.verivue.com 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
**Curl Version**
./curl --version
curl 7.41.0 (x86_64-unknown-linux-gnu) libcurl/7.41.0 OpenSSL/1.0.2 zlib/1.2.5 libidn/1.18 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2015-03-13

These mail archives are generated by hypermail.