From: Noam Postavsky <npostavs@users.sourceforge.net>
To: Alain Schneble <a.s@realize.ch>, Katsumi Yamaoka <yamaoka@jpl.org>
Cc: 24757@debbugs.gnu.org
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Wed, 06 Dec 2017 06:46:00 -0500 [thread overview]
Message-ID: <87vahkf5af.fsf@users.sourceforge.net> (raw)
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21 Oct 2016 18:35:11 +0200")
Alain Schneble <a.s@realize.ch> writes:
> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly. url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies. This is wrong. See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
> (let ((file (make-temp-file "CookieHttpOnly")))
> (with-temp-buffer
> (insert
> "(setq url-cookie-storage nil)\n"
> "(setq url-cookie-secure-storage nil)")
> (write-file file))
> (setq url-cookie-file file)
> (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
> (url-cookie-write-file)
> (find-file file))
> - The visited cookies file should now contain two cookie entries:
> ("en.wikipedia.org"
> [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
> [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
> => The second cookie entry is not expected.
In emacs-26, as of [1: caa39f495c], the second cookie is not present,
but it looks like it unconditionally drops the HttpOnly attribute (and
all other attributes?). Is that the right thing?
[1: caa39f495c]: 2017-11-13 23:56:26 +0000
Fix cookie handling (bug#29282)
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=caa39f495c0783dac2d5701100db83ea10f126c0
next prev parent reply other threads:[~2017-12-06 11:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-21 16:35 bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Alain Schneble
2016-10-22 13:58 ` Alain Schneble
2017-12-06 11:46 ` Noam Postavsky [this message]
2017-12-06 22:47 ` Katsumi Yamaoka
2018-04-15 19:47 ` Lars Ingebrigtsen
2018-07-31 2:08 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vahkf5af.fsf@users.sourceforge.net \
--to=npostavs@users.sourceforge.net \
--cc=24757@debbugs.gnu.org \
--cc=a.s@realize.ch \
--cc=yamaoka@jpl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).