cookies: change argument type for Curl_flush_cookies

The second argument is really a 'bool' so use that and pass in TRUE/FALSE
to make it clear.

Closes #4455

cookie: avoid harmless use after free

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an

cookie: avoid harmless use after free

This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

curl_global_init(CURL_GLOBAL_DEFAULT);
CURL* handle=curl_easy_init();
CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
Curl_flush_cookies(handle, true);
Curl_cookie_cleanup(info);
curl_easy_cleanup(handle);
curl_global_cleanup();

This was found through fuzzing.

Closes #4454

show more ...

cookies: using a share with cookies shouldn't enable the cookie engine

The 'share object' only sets the storage area for cookies. The "cookie
engine" still needs to be enabled or activat

cookies: using a share with cookies shouldn't enable the cookie engine

The 'share object' only sets the storage area for cookies. The "cookie
engine" still needs to be enabled or activated using the normal cookie
options.

This caused the curl command line tool to accidentally use cookies
without having been told to, since curl switched to using shared cookies
in 7.66.0.

Test 1166 verifies

Updated test 506

Fixes #4429
Closes #4434

show more ...

cookie: pass in the correct cookie amount to qsort()

As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have howeve

cookie: pass in the correct cookie amount to qsort()

As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have however not found
it a security problem.

Reported-by: Paul Dreik
Closes #4386

show more ...

source: remove names from source comments

Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers

source: remove names from source comments

Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons

Assisted-by: Daniel Gustafsson
Closes #4129

show more ...

lib: Use UTF-8 encoding in comments

Some editors and IDEs assume that source files use UTF-8 file encodings.
It also fixes the build with MSVC when /utf-8 command line option is
used

lib: Use UTF-8 encoding in comments

Some editors and IDEs assume that source files use UTF-8 file encodings.
It also fixes the build with MSVC when /utf-8 command line option is
used (this option is mandatory for some other open-source projects, this
is useful when using the same options is desired for building all
libraries of a project).

Closes https://github.com/curl/curl/pull/4087

show more ...

lib: reduce variable scopes

Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872

cookie: Guard against possible NULL ptr deref

In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to a

cookie: Guard against possible NULL ptr deref

In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

altsvc: Fix building with cookies disables

ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
check of HTTP and COOKIES. That makes Curl_get_line undefined if CO

altsvc: Fix building with cookies disables

ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is
disabled. Fix by splitting out the function into a separate file which can
be included where needed.

Closes #3717
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>

show more ...

Revert "cookies: extend domain checks to non psl builds"

This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0.

Regression shipped in 7.64.0
Fixes #3649

alt-svc: the libcurl bits

cookies: only save the cookie file if the engine is enabled

Follow-up to 8eddb8f4259.

If the cookieinfo pointer is NULL there really is nothing to save.

Without this fix, w

cookies: only save the cookie file if the engine is enabled

Follow-up to 8eddb8f4259.

If the cookieinfo pointer is NULL there really is nothing to save.

Without this fix, we got a problem when a handle was using shared object
with cookies and is told to "FLUSH" it to file (which worked) and then
the share object was removed and when the easy handle was closed just
afterwards it has no cookieinfo and no cookies so it decided to save an
empty jar (overwriting the file just flushed).

Test 1905 now verifies that this works.

Assisted-by: Michael Wallner
Assisted-by: Marcel Raad

Closes #3621

show more ...

cookies: fix NULL dereference if flushing cookies with no CookieInfo set

Regression brought by a52e46f3900fb0 (shipped in 7.63.0)

Closes #3613

cookie: Add support for cookie prefixes

The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
and how they should affect cookie initialization, which has been
adopted

cookie: Add support for cookie prefixes

The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
and how they should affect cookie initialization, which has been
adopted by the major browsers. This adds support for the two prefixes
defined, __Host- and __Secure, and updates the testcase with the
supplied examples from the draft.

Closes #3554
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

cookie: fix comment typo (url_path_len -> uri_path_len)

Closes #3469

cookies: allow secure override when done over HTTPS

Added test 1562 to verify.

Reported-by: Jeroen Ooms
Fixes #3445
Closes #3450

cookies: extend domain checks to non psl builds

Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
bas

cookies: extend domain checks to non psl builds

Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the sta

cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

cookies: expire "Max-Age=0" immediately

Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352

cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300

show more ...

cookies: Move failure case label to end of function

Rather than jumping backwards to where failure cleanup happens
to be performed, move the failure case to end of the function
where

cookies: Move failure case label to end of function

Rather than jumping backwards to where failure cleanup happens
to be performed, move the failure case to end of the function
where it is expected per existing coding convention.

Closes #2965

show more ...

cookies: fix leak when writing cookies to file

If the formatting fails, we error out on a fatal error and
clean up on the way out. The array was however freed within
the wrong scope

cookies: fix leak when writing cookies to file

If the formatting fails, we error out on a fatal error and
clean up on the way out. The array was however freed within
the wrong scope and was thus never freed in case the cookies
were written to a file instead of STDOUT.

Closes #2957

show more ...

cookies: Remove redundant expired check

Expired cookies have already been purged at a later expiration time
before this check, so remove the redundant check.

closes #2962

all: s/int/size_t cleanup

Assisted-by: Rikard Falkeborn

Closes #2922

cookies: support creation-time attribute for cookies

According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a

cookies: support creation-time attribute for cookies

According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.

Closes #2524

show more ...