From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Noam Postavsky Newsgroups: gmane.emacs.bugs Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Date: Wed, 06 Dec 2017 06:46:00 -0500 Message-ID: <87vahkf5af.fsf@users.sourceforge.net> References: <8637jp64ow.fsf@realize.ch> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1512577117 15850 195.159.176.226 (6 Dec 2017 16:18:37 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 6 Dec 2017 16:18:37 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) Cc: 24757@debbugs.gnu.org To: Alain Schneble , Katsumi Yamaoka Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Dec 06 17:18:28 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMcOg-0001Nn-IC for geb-bug-gnu-emacs@m.gmane.org; Wed, 06 Dec 2017 17:18:10 +0100 Original-Received: from localhost ([::1]:55058 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMYBc-0006q5-Sh for geb-bug-gnu-emacs@m.gmane.org; Wed, 06 Dec 2017 06:48:24 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46990) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMYAL-0004l7-Rb for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 06:47:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMYAI-000097-7h for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 06:47:05 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:39900) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eMYAI-00008s-2v for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 06:47:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eMYAH-0006Rt-MG for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 06:47:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 06 Dec 2017 11:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24757 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 24757-submit@debbugs.gnu.org id=B24757.151256077524736 (code B ref 24757); Wed, 06 Dec 2017 11:47:01 +0000 Original-Received: (at 24757) by debbugs.gnu.org; 6 Dec 2017 11:46:15 +0000 Original-Received: from localhost ([127.0.0.1]:48580 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMY9W-0006Qt-QD for submit@debbugs.gnu.org; Wed, 06 Dec 2017 06:46:15 -0500 Original-Received: from mail-it0-f42.google.com ([209.85.214.42]:44915) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMY9Q-0006QZ-NK for 24757@debbugs.gnu.org; Wed, 06 Dec 2017 06:46:09 -0500 Original-Received: by mail-it0-f42.google.com with SMTP id b5so6843111itc.3 for <24757@debbugs.gnu.org>; Wed, 06 Dec 2017 03:46:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=L1HZOh/Eio98wQ7MQHaJcZxh+guYcBnpadwIzotZW84=; b=dp0TApFjPABjGMSxGMEbNfqeJ2A4YJV/J2iy0FsqiCB4s3VlibrnwBZdFd6piYxpXZ pe+on/bjCRWxHfCXk8efVnmHsPOh7fyCR5JaQZ5Rc9egAvNaTse3l6V+OQfmmsEY3xjt 62Df0ec3Q+v1YEV2IioQD6YHFTz/7YJ/oxgnFCKXmUwV/ZDg94prn5SMB9GUSfd6S404 JppKIoCJxbX05DF4+hxyCKSeMJ3u7AMiO6wp9koDoVzjC4mXGNhMdlPnkcFJm38ekhxW 3pAzDhzuAigGU5cNePl3sCnS2B3QEtVIfPHyAWDiBqeJUrA2Znk8ZVlkMLV0f+kR+MM2 8/+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version; bh=L1HZOh/Eio98wQ7MQHaJcZxh+guYcBnpadwIzotZW84=; b=PYU4xeNORMfmKFYotsCqGiCrM/dtfYAtPab7/0DFhzG0QE5Rj+EcwwWLaiL0yV/pc6 Oee2hOaQ0xFxzjk1U7nxWxuaJnCGySHeBkw9iUXNO34BVJpWJ1wZbk9vnyX9Etv2d8lD 5McpZCIP2Q396vXXvv4V1I8i2fOLYPALqwOQo6gCG8grCtHliITQQbuVOG0/JZDiguEf xM/C8EhGHfa0jUamFL2iOF1hpG/9KEqBBv+jO7fRS5sVTSfbSYzYGafY1KBxZXiSwJAj 4iQu9F1mj7IVfAM7aZ2NPZzReW1ErJX5I8llUdcJvrT/YoFEgRmBIqE0UFl757bcvWcV sFqg== X-Gm-Message-State: AKGB3mI9rFs+aNJJ0cvGL41S3E4yerwL/91IMITQRiwvwu9CB/I9E9Oj EUopA3E/D59lYCLEHYlqU1dLBg== X-Google-Smtp-Source: AGs4zMbRhPX9a0MWHuum/qKj2t9rDoAxWMjdQJzwUTbtJfehhVMxMqSJt1vwWYZPTUhn8eqpD0CDOQ== X-Received: by 10.36.57.13 with SMTP id l13mr13458701ita.101.1512560762838; Wed, 06 Dec 2017 03:46:02 -0800 (PST) Original-Received: from zebian ([45.2.119.34]) by smtp.googlemail.com with ESMTPSA id m34sm1520839iti.24.2017.12.06.03.46.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 06 Dec 2017 03:46:01 -0800 (PST) In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21 Oct 2016 18:35:11 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:140736 Archived-At: Alain Schneble writes: > Processing an HTTP response with a Set-Cookie header and HttpOnly > attribute creates a phantom cookie with name HttpOnly. url-cookie.el > (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute > as the name of an additional cookie, thus interpreting Set-Cookie header > value as it would contain multiple cookies. This is wrong. See also > RFC6265 HTTP State Management Mechanism, section 4.1.2.6: > https://www.rfc-editor.org/rfc/rfc6265.txt. > > Here's a recipe to reproduce this issue: > > - emacs -Q > - Eval the following fragment: > (let ((file (make-temp-file "CookieHttpOnly"))) > (with-temp-buffer > (insert > "(setq url-cookie-storage nil)\n" > "(setq url-cookie-secure-storage nil)") > (write-file file)) > (setq url-cookie-file file) > (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile") > (url-cookie-write-file) > (find-file file)) > - The visited cookies file should now contain two cookie entries: > ("en.wikipedia.org" > [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t] > [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]) > => The second cookie entry is not expected. In emacs-26, as of [1: caa39f495c], the second cookie is not present, but it looks like it unconditionally drops the HttpOnly attribute (and all other attributes?). Is that the right thing? [1: caa39f495c]: 2017-11-13 23:56:26 +0000 Fix cookie handling (bug#29282) https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=caa39f495c0783dac2d5701100db83ea10f126c0