From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Alain Schneble Newsgroups: gmane.emacs.bugs Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Date: Fri, 21 Oct 2016 18:35:11 +0200 Message-ID: <8637jp64ow.fsf@realize.ch> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="shift_jis" Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1477067837 29601 195.159.176.226 (21 Oct 2016 16:37:17 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 21 Oct 2016 16:37:17 +0000 (UTC) To: 24757@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Oct 21 18:37:13 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bxcog-0006jy-Pc for geb-bug-gnu-emacs@m.gmane.org; Fri, 21 Oct 2016 18:37:11 +0200 Original-Received: from localhost ([::1]:33347 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxcoj-000621-4G for geb-bug-gnu-emacs@m.gmane.org; Fri, 21 Oct 2016 12:37:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36252) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxcoc-00061g-0z for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:37:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxcoY-00054o-Pc for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:37:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:58087) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bxcoY-00054k-MS for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:37:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bxcoY-0008Jp-Gy for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:37:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Alain Schneble Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 21 Oct 2016 16:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 24757 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: Original-Received: via spool by submit@debbugs.gnu.org id=B.147706777331911 (code B ref -1); Fri, 21 Oct 2016 16:37:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 21 Oct 2016 16:36:13 +0000 Original-Received: from localhost ([127.0.0.1]:45251 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bxcnl-0008Ic-9k for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:13 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:45127) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bxcnk-0008IQ-B1 for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:12 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxcnd-0004k3-Ei for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:07 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:42205) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bxcnd-0004jz-BQ for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:05 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36093) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxcnb-0005uZ-Gb for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxcnY-0004h2-A3 for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:03 -0400 Original-Received: from clientmail.realize.ch ([46.140.89.53]:2877) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bxcnX-0004fv-T6 for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:00 -0400 Original-Received: from rintintin.hq.realize.ch.lan.rit (Unknown [192.168.0.105]) by clientmail.realize.ch with ESMTP ; Fri, 21 Oct 2016 18:35:49 +0200 Original-Received: from myngb (192.168.66.64) by rintintin.hq.realize.ch.lan.rit (192.168.0.105) with Microsoft SMTP Server (TLS) id 15.0.516.32; Fri, 21 Oct 2016 18:35:10 +0200 X-ClientProxiedBy: rintintin.hq.realize.ch.lan.rit (192.168.0.105) To rintintin.hq.realize.ch.lan.rit (192.168.0.105) X-detected-operating-system: by eggs.gnu.org: Windows NT kernel [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:124787 Archived-At: Processing an HTTP response with a Set-Cookie header and HttpOnly attribute creates a phantom cookie with name HttpOnly. url-cookie.el (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute as the name of an additional cookie, thus interpreting Set-Cookie header value as it would contain multiple cookies. This is wrong. See also RFC6265 HTTP State Management Mechanism, section 4.1.2.6: https://www.rfc-editor.org/rfc/rfc6265.txt. Here's a recipe to reproduce this issue: - emacs -Q - Eval the following fragment: (let ((file (make-temp-file "CookieHttpOnly"))) (with-temp-buffer (insert "(setq url-cookie-storage nil)\n" "(setq url-cookie-secure-storage nil)") (write-file file)) (setq url-cookie-file file) (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile") (url-cookie-write-file) (find-file file)) - The visited cookies file should now contain two cookie entries: ("en.wikipedia.org" [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00= :00 GMT" "/" "en.wikipedia.org" t] [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.= wikipedia.org" t]) =3D> The second cookie entry is not expected. I would be happy to arrange a patch to solve this issue, but would like first to discuss which approach to choose: 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header value. 2. Extend the url-cookie cl-defstruct to contain an additional slot HTTPONLY. Its value would be t if HttpOnly attribute was detected in Set-Cookie's header value, nil otherwise. I could live with both. What would you prefer? Alain In GNU Emacs 25.1.50.1 (x86_64-w64-mingw32) of 2016-09-27 built on MYNGB Repository revision: bbf1ffd7c74bdf3ea766580788f7f4adb98a47f0 Windowing system distributor 'Microsoft Corp.', version 10.0.10586 Configured using: 'configure --prefix /c/usr/bin/emacs-25.1 --without-imagemagick' Configured features: XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS Important settings: value of $LANG: DES locale-coding-system: cp1252 Major mode: Emacs-Lisp Minor modes in effect: diff-auto-refine-mode: t shell-dirtrack-mode: t linum-mode: t paredit-mode: t winner-mode: t icomplete-mode: t show-paren-mode: t display-time-mode: t display-battery-mode: t tooltip-mode: t global-eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t column-number-mode: t line-number-mode: t transient-mark-mode: t Recent messages: Mark activated Insomnium =81\=81\ 2014 - Shadows of the Dying Sun [Limited Digipack Editio= n] (2014) =81\=81\ 204-the descent.mp3 Mark set [5 times] Insomnium =81\=81\ 2011 - One For Sorrow (2014) =81\=81\ 01 Inertia.mp3 Mark set Making completion list... command-execute: Command attempted to use minibuffer while in minibuffer Quit Mark set [2 times] Making completion list... Quit [2 times] Features: (shadow emacsbug debug shr-color color timezone eww mm-url url-queue shr dom browse-url pcmpl-unix em-unix em-term term ehelp em-script em-prompt em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner em-alias esh-var esh-io esh-cmd esh-opt esh-ext esh-proc esh-arg esh-groups eshell esh-module esh-mode esh-util nndoc gnus-dup crm debbugs-gnu add-log debbugs soap-client xml org-indent sanityinc-tomorrow-eighties-theme warnings compile autoload tar-mode lisp-mnt mm-archive url-handlers url-http url-gw url-cache url-auth url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util url-parse url-vars pp ace-window ace-jump-mode advice cl vc-dispatcher vc-svn nxml-uchnm rng-xsd xsd-regexp rng-cmpct rng-nxml rng-valid rng-loc rng-uri rng-parse nxml-parse rng-match rng-dt rng-util rng-pttrn nxml-ns nxml-mode nxml-outln nxml-rap nxml-util nxml-glyph nxml-enc xmltok apropos tmm artist picture reporter rect bongo lastfm-submit vc-git diff-mode org-element org-rmail org-mhe org-irc org-info org-gnus org-docview doc-view subr-x image-mode org-bibtex bibtex org-bbdb org-w3m shell find-dired gnus-fun jka-compr misearch multi-isearch eieio-opt speedbar sb-image ezimage dframe thingatpt nnfolder mailalias smtpmail sendmail nnir qp sort smiley gnus-cite mail-extr gnus-async gnus-bcklg gnus-ml nndraft nnmh network-stream nsm auth-source cl-seq starttls gnus-agent gnus-srvr gnus-score score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view mml-smime smime dig mailcap nntp gnus-cache gnus-sum gnus-group gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source tls gnutls utf7 netrc nnoo parse-time gnus-spec gnus-int gnus-range message dired rfc822 mml mml-sec password-cache epg mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev gmm-utils mailheader gnus-win linum paredit winner ob-ditaa ob-gnuplot org org-macro org-footnote org-pcomplete pcomplete org-list org-faces org-entities noutline outline easy-mmode org-version ob-emacs-lisp ob ob-tangle ob-ref ob-lob ob-table ob-exp org-src ob-keys ob-comint comint ansi-color ring ob-core ob-eval org-compat org-macs org-loaddefs format-spec find-func cal-menu calendar cal-loaddefs server ido icomplete sanityinc-tomorrow-night-theme sanityinc-tomorrow-bright-theme color-theme-sanityinc-tomorrow paren gnus gnus-ems nnheader gnus-util mail-utils mm-util help-fns mail-prsvr wid-edit time battery cus-start cus-load finder-inf ac-js2-autoloads ace-window-autoloads ace-jump-mode-autoloads bongo-autoloads color-theme-sanityinc-tomorrow-autoloads company-autoloads emms-autoloads expand-region-autoloads gnuplot-autoloads gnuplot-mode-autoloads google-this-autoloads js2-refactor-autoloads json-mode-autoloads json-reformat-autoloads json-snatcher-autoloads eieio eieio-core cl-macs multiple-cursors-autoloads auto-complete-autoloads flycheck-autoloads paredit-autoloads pkg-info-autoloads epl-autoloads popup-autoloads s-autoloads skewer-mode-autoloads js2-mode-autoloads simple-httpd-autoloads solarized-theme-autoloads spacegray-theme-autoloads swift-mode-autoloads info yasnippet-autoloads zenburn-theme-autoloads package epg-config seq byte-opt gv bytecomp byte-compile cl-extra help-mode easymenu cconv edmacro kmacro cl-loaddefs pcase cl-lib time-date mule-util tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel dos-w32 ls-lisp disp-table w32-win w32-vars term/common-win tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment elisp-mode lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote w32notify w32 multi-tty make-network-process emacs) Memory information: ((conses 16 1451456 275303) (symbols 56 52346 0) (miscs 48 3682 1278) (strings 32 219721 96665) (string-bytes 1 6292673) (vectors 16 69870) (vector-slots 8 1820989 19661) (floats 8 3501 683) (intervals 56 148195 1586) (buffers 976 118))