Mailing Lists

curl-tracker Archives

[curl:bugs] #1494 Cookies Not Following Path Rules

From: Steve Corriere <scorriere_at_users.sf.net>
Date: Mon, 16 Mar 2015 13:08:06 +0000

Alright, so I crafted some cookies in Firefox that I believe are acting like they did back in curl 7.19.7.

    sqlite> select * from moz_cookies where baseDomain="example.com";
    5|example.com|0|0|fullpath|1=1|.example.com|/foo/bar.html|1426596548|1426510303124730|1426510184149128|0|1
    6|example.com|0|0|partialpath1|1=1|.example.com|/foo|1426596621|1426510303124730|1426510239285097|0|1
    7|example.com|0|0|general|1=1|.example.com|/|1426596646|1426510262173271|1426510262173271|0|1

When I made a request for "http://example.com/foo/bar,html," Firefox sent all 3 cookies (See attached screenshot from Firefox developer tools).

If you think that I am wrong, feel free to close this out. My reason behind opening this was based on the link to <http://curl.haxx.se/rfc/cookie_spec.html>. If curl should not be following that, I am completely okay with that. Perhaps Firefox is still based off of that old "spec."

Attachment: exampleCookie.png (147.9 kB; image/png)

---
** [bugs:#1494] Cookies Not Following Path Rules**
**Status:** open
**Labels:** cookies http 
**Created:** Fri Mar 13, 2015 12:34 PM UTC by Steve Corriere
**Last Updated:** Sat Mar 14, 2015 11:22 PM UTC
**Owner:** Daniel Stenberg
I do not believe that Curl is correctly following the path rules for cookies based on <http://curl.haxx.se/rfc/cookie_spec.html>.  Specifically, I do not think that it is following:
"The path "/foo" would match "/foobar" and "/foo/bar.html". The path "/" is the most general path."
In the following example, I would expect that we send the "partial_path" cookie in all requests.  Note that for the request to "http://www.example.com/foobar," we are missing this cookie, but we have the cookie for "/foo/bar.html."
I have seen the same behavior in version curl-7.37.0.  A really old data point, but I believe that the behavior followed the cookie spec back in curl 7.19.7.
If curl is not supposed to be following the cookie_spec page, my apologies.
    [scorriere_at_outrage src]$ cat /tmp/broken_cookie 
    # Netscape HTTP Cookie File
    # http://curl.haxx.se/docs/http-cookies.html
    # This file was generated by libcurl! Edit at your own risk.
    
    .example.com    TRUE    /foo/bar.html   FALSE   2426364040      full_path 1
    .example.com    TRUE    /foo            FALSE   2426364040      partial_path 1
    .example.com    TRUE    /               FALSE   2426364040      general_path 1
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foo"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foo HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: partial_path 1=; general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:27:53 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:27:53 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/144C)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  78696      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foobar"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foobar HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:27:59 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:27:59 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/15AB)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  78657      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere@outrage src]$ ./curl -vvv -o /dev/null -b /tmp/broken_cookie "http://www.example.com/foo/bar.html"
    *   Trying 93.184.216.34...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.example.com (93.184.216.34) port 80 (#0)
    > GET /foo/bar.html HTTP/1.1
    > User-Agent: curl/7.41.0
    > Host: www.example.com
    > Accept: */*
    > Cookie: full_path 1=; partial_path 1=; general_path 1=
    > 
    < HTTP/1.1 404 Not Found
    < Accept-Ranges: bytes
    < Cache-Control: max-age=604800
    < Content-Type: text/html
    < Date: Fri, 13 Mar 2015 12:28:03 GMT
    < Etag: "359670651"
    < Expires: Fri, 20 Mar 2015 12:28:03 GMT
    < Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
    < Server: ECS (ewr/15CC)
    < X-Cache: 404-HIT
    < x-ec-custom-error: 1
    < Content-Length: 1270
    < 
    { [1270 bytes data]
    100  1270  100  1270    0     0  80242      0 --:--:-- --:--:-- --:--:-- 84666
    * Connection #0 to host www.example.com left intact
    [scorriere_at_outrage src]$ 
**OS Version**
cat /etc/redhat-release 
CentOS Linux release 6.0 (Final)
[scorriere_at_outrage src]$ uname -a
Linux outrage.verivue.com 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
**Curl Version**
./curl --version
curl 7.41.0 (x86_64-unknown-linux-gnu) libcurl/7.41.0 OpenSSL/1.0.2 zlib/1.2.5 libidn/1.18 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2015-03-16

This message: [ Message body ]
Next message: Daniel Stenberg: "[curl:bugs] #1494 Cookies Not Following Path Rules"
Previous message: Daniel Stenberg: "[curl:bugs] #1473 Incomplete FTPS transfers through HTTP proxy"
In reply to: Steve Corriere: "[curl:bugs] #1494 Cookies Not Following Path Rules"
Next in thread: Daniel Stenberg: "[curl:bugs] #1494 Cookies Not Following Path Rules"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.