From: Lars Ingebrigtsen <larsi@gnus.org>
To: Alain Schneble <a.s@realize.ch>
Cc: 24757@debbugs.gnu.org
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sun, 15 Apr 2018 21:47:35 +0200 [thread overview]
Message-ID: <874lkc6ylk.fsf@mouse.gnus.org> (raw)
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21 Oct 2016 18:35:11 +0200")
Alain Schneble <a.s@realize.ch> writes:
> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly. url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies. This is wrong. See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
> (let ((file (make-temp-file "CookieHttpOnly")))
> (with-temp-buffer
> (insert
> "(setq url-cookie-storage nil)\n"
> "(setq url-cookie-secure-storage nil)")
> (write-file file))
> (setq url-cookie-file file)
> (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
> (url-cookie-write-file)
> (find-file file))
> - The visited cookies file should now contain two cookie entries:
> ("en.wikipedia.org"
> [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
> [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
> => The second cookie entry is not expected.
I'm unable to reproduce this now, and I seem to vaguely remember this
being fixed a while ago? Are you still seeing this, Alan?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
next prev parent reply other threads:[~2018-04-15 19:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-21 16:35 bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Alain Schneble
2016-10-22 13:58 ` Alain Schneble
2017-12-06 11:46 ` Noam Postavsky
2017-12-06 22:47 ` Katsumi Yamaoka
2018-04-15 19:47 ` Lars Ingebrigtsen [this message]
2018-07-31 2:08 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874lkc6ylk.fsf@mouse.gnus.org \
--to=larsi@gnus.org \
--cc=24757@debbugs.gnu.org \
--cc=a.s@realize.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.