#
b1b326ec |
| 11-Apr-2023 |
Daniel Stenberg |
cookie: clarify that init with data set to NULL reads no file ... and make Curl_cookie_add() require 'data' being set proper with an assert. The function has not worked with a N
cookie: clarify that init with data set to NULL reads no file ... and make Curl_cookie_add() require 'data' being set proper with an assert. The function has not worked with a NULL data for quite some time so this just corrects the code and comment. This is a different take than the proposed fixed in #10927 Reported-by: Kvarec Lezki Ref: #10929 Closes #10930
show more ...
|
#
45d4bf5a |
| 05-Mar-2023 |
Daniel Stenberg |
cookie: don't load cookies again when flushing Reported-by: Sergio Mijatovic Fixes #10677 Closes #10685
|
#
ac5ea7b6 |
| 20-Feb-2023 |
Daniel Stenberg |
cookie: parse without sscanf() Saves us from using 2*4096 bytes buffers on stack, the extra copies and more. Closes #10550
|
#
9caa7bc9 |
| 01-Feb-2023 |
Kvarec Lezki |
cookies: fp is always not NULL Closes #10383
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
af5999a6 |
| 22-Dec-2022 |
Daniel Stenberg |
urldata: move the cookefilelist to the 'set' struct The cookiefile entries are set into the handle and should remain set for the lifetime of the handle so that duplicating it also duplic
urldata: move the cookefilelist to the 'set' struct The cookiefile entries are set into the handle and should remain set for the lifetime of the handle so that duplicating it also duplicates the list. Therefore, the struct field is moved from 'state' to 'set'. Fixes #10133 Closes #10134
show more ...
|
#
73d6f414 |
| 02-Dec-2022 |
Daniel Stenberg |
cookie: open cookie jar as a binary file On Windows there is a difference and for text files, ^Z means end of file which is not desirable. Ref: #9973 Closes #10017
|
#
cc3d517e |
| 17-Nov-2022 |
Daniel Stenberg |
cookie: expire cookies at once when max-age is negative Update test 329 to verify Reported-by: godmar on github Fixes #9930 Closes #9932
|
#
f151ec6c |
| 28-Oct-2022 |
Rose <83477269+AtariDreams@users.noreply.github.com> |
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.co
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.com/curl/curl/pull/9823 Closes https://github.com/curl/curl/pull/9835
show more ...
|
#
14061f78 |
| 07-Nov-2022 |
Daniel Stenberg |
cookie: compare cookie prefixes case insensitively Adapted to language in rfc6265bis draft-11. Closes #9863 Reviewed-by: Daniel Gustafsson
|
#
4484270a |
| 26-Oct-2022 |
Ayesh Karunaratne |
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing repeated words. - Replace `a HTTP` with `an HTTP` Closes #9802
show more ...
|
#
8f384577 |
| 24-Oct-2022 |
Daniel Gustafsson |
cookies: optimize control character check When checking for invalid octets the strcspn() call will return the position of the first found invalid char or the first NULL byte. This me
cookies: optimize control character check When checking for invalid octets the strcspn() call will return the position of the first found invalid char or the first NULL byte. This means that we can check the indicated position in the search- string saving a strlen() call. Closes: #9736 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
show more ...
|
#
bfe9b59b |
| 05-Oct-2022 |
Daniel Stenberg |
cookie: reject cookie names or content with TAB characters TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name a
cookie: reject cookie names or content with TAB characters TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)" Cookies with TABs in the names are rejected by Firefox and Chrome. TABs in content are stripped out by Firefox, while Chrome discards the whole cookie. TABs in cookies also cause issues in saved netscape cookie files. Reported-by: Trail of Bits URL: https://curl.se/mail/lib-2022-10/0032.html URL: https://github.com/httpwg/http-extensions/issues/2262 Closes #9659
show more ...
|
#
8dfc93e5 |
| 28-Aug-2022 |
Daniel Stenberg |
cookie: reject cookies with "control bytes" Rejects 0x01 - 0x1f (except 0x09) plus 0x7f Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-35252.html CVE-2
cookie: reject cookies with "control bytes" Rejects 0x01 - 0x1f (except 0x09) plus 0x7f Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-35252.html CVE-2022-35252 Closes #9381
show more ...
|
#
4c0ac2aa |
| 18-Jul-2022 |
Daniel Stenberg |
cookie: treat a blank domain in Set-Cookie: as non-existing This matches what RFC 6265 section 5.2.3 says. Extended test 31 to verify. Fixes #9164 Reported-by: Gwen Sha
cookie: treat a blank domain in Set-Cookie: as non-existing This matches what RFC 6265 section 5.2.3 says. Extended test 31 to verify. Fixes #9164 Reported-by: Gwen Shapira Closes #9177
show more ...
|
#
c5f3c47c |
| 04-Jul-2022 |
Daniel Stenberg |
cookie: use %zu to infof() for size_t values Detected by Coverity. CID 1507051 Closes #9095
|
#
20f9dd6b |
| 25-May-2022 |
Daniel Stenberg |
fopen: add Curl_fopen() for better overwriting of files Bug: https://curl.se/docs/CVE-2022-32207.html CVE-2022-32207 Reported-by: Harry Sintonen Closes #9050
|
#
48d7064a |
| 26-Jun-2022 |
Daniel Stenberg |
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
739275a1 |
| 30-May-2022 |
Daniel Gustafsson |
cookies: fix documentation comment Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but missed updating the documentation comment at the head of the file.
|
#
dcaae6bb |
| 24-May-2022 |
Daniel Stenberg |
cookie: fix false positive "potentially uninitialized local variable" Reviewed-by: Daniel Gustafsson Closes #8903
|
#
e9a8451a |
| 19-May-2022 |
Harry Sintonen |
cookie: address secure domain overlay Bug: https://hackerone.com/reports/1560324 Co-authored-by: Daniel Stenberg Closes #8840
|
#
7e92d12b |
| 09-May-2022 |
Daniel Stenberg |
cookies: make bad_domain() not consider a trailing dot fine The check for a dot in the domain must not consider a single trailing dot to be fine, as then TLD + trailing dot is fine and c
cookies: make bad_domain() not consider a trailing dot fine The check for a dot in the domain must not consider a single trailing dot to be fine, as then TLD + trailing dot is fine and curl will accept setting cookies for it. CVE-2022-27779 Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-27779.html Closes #8820
show more ...
|
#
4ec0549c |
| 25-Apr-2022 |
Daniel Stenberg |
misc: update copyright year ranges
|
#
a6cdfd24 |
| 20-Apr-2022 |
Daniel Gustafsson |
cookies: Improve errorhandling for reading cookiefile The existing programming had some issues with errorhandling for reading the cookie file. If the file failed to open, we would silent
cookies: Improve errorhandling for reading cookiefile The existing programming had some issues with errorhandling for reading the cookie file. If the file failed to open, we would silently ignore it and continue as if there was no file (or stdin) passed. In this case, we would also call fclose() on the NULL FILE pointer, which is undefined behavior. Fix by ensuring that the FILE pointer is set before calling fclose on it, and issue a warning in case the file cannot be opened. Erroring out on nonexisting file would break backwards compatibility of very old behavior so we can't really go there. Closes: #8699 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
show more ...
|