123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728 |
- /***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
- /***
- RECEIVING COOKIE INFORMATION
- ============================
- Curl_cookie_init()
- Inits a cookie struct to store data in a local file. This is always
- called before any cookies are set.
- Curl_cookie_add()
- Adds a cookie to the in-memory cookie jar.
- SENDING COOKIE INFORMATION
- ==========================
- Curl_cookie_getlist()
- For a given host and path, return a linked list of cookies that
- the client should send to the server if used now. The secure
- boolean informs the cookie if a secure connection is achieved or
- not.
- It shall only return cookies that have not expired.
- Example set of cookies:
- Set-cookie: PRODUCTINFO=webxpress; domain=.fidelity.com; path=/; secure
- Set-cookie: PERSONALIZE=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/ftgw; secure
- Set-cookie: FidHist=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidOrder=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: DisPend=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidDis=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie:
- Session_Key@6791a9e0-901a-11d0-a1c8-9b012c88aa77=none;expires=Monday,
- 13-Jun-1988 03:04:55 GMT; domain=.fidelity.com; path=/; secure
- ****/
- #include "curl_setup.h"
- #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_COOKIES)
- #include "urldata.h"
- #include "cookie.h"
- #include "psl.h"
- #include "strtok.h"
- #include "sendf.h"
- #include "slist.h"
- #include "share.h"
- #include "strtoofft.h"
- #include "strcase.h"
- #include "curl_get_line.h"
- #include "curl_memrchr.h"
- #include "parsedate.h"
- #include "rename.h"
- #include "fopen.h"
- #include "strdup.h"
- #include "llist.h"
- /* The last 3 #include files should be in this order */
- #include "curl_printf.h"
- #include "curl_memory.h"
- #include "memdebug.h"
- static void strstore(char **str, const char *newstr, size_t len);
- static void freecookie(struct Cookie *co)
- {
- free(co->domain);
- free(co->path);
- free(co->spath);
- free(co->name);
- free(co->value);
- free(co);
- }
- static bool cookie_tailmatch(const char *cookie_domain,
- size_t cookie_domain_len,
- const char *hostname)
- {
- size_t hostname_len = strlen(hostname);
- if(hostname_len < cookie_domain_len)
- return FALSE;
- if(!strncasecompare(cookie_domain,
- hostname + hostname_len-cookie_domain_len,
- cookie_domain_len))
- return FALSE;
- /*
- * A lead char of cookie_domain is not '.'.
- * RFC6265 4.1.2.3. The Domain Attribute says:
- * For example, if the value of the Domain attribute is
- * "example.com", the user agent will include the cookie in the Cookie
- * header when making HTTP requests to example.com, www.example.com, and
- * www.corp.example.com.
- */
- if(hostname_len == cookie_domain_len)
- return TRUE;
- if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
- return TRUE;
- return FALSE;
- }
- /*
- * matching cookie path and URL path
- * RFC6265 5.1.4 Paths and Path-Match
- */
- static bool pathmatch(const char *cookie_path, const char *request_uri)
- {
- size_t cookie_path_len;
- size_t uri_path_len;
- char *uri_path = NULL;
- char *pos;
- bool ret = FALSE;
- /* cookie_path must not have last '/' separator. ex: /sample */
- cookie_path_len = strlen(cookie_path);
- if(1 == cookie_path_len) {
- /* cookie_path must be '/' */
- return TRUE;
- }
- uri_path = strdup(request_uri);
- if(!uri_path)
- return FALSE;
- pos = strchr(uri_path, '?');
- if(pos)
- *pos = 0x0;
- /* #-fragments are already cut off! */
- if(0 == strlen(uri_path) || uri_path[0] != '/') {
- strstore(&uri_path, "/", 1);
- if(!uri_path)
- return FALSE;
- }
- /*
- * here, RFC6265 5.1.4 says
- * 4. Output the characters of the uri-path from the first character up
- * to, but not including, the right-most %x2F ("/").
- * but URL path /hoge?fuga=xxx means /hoge/index.cgi?fuga=xxx in some site
- * without redirect.
- * Ignore this algorithm because /hoge is uri path for this case
- * (uri path is not /).
- */
- uri_path_len = strlen(uri_path);
- if(uri_path_len < cookie_path_len) {
- ret = FALSE;
- goto pathmatched;
- }
- /* not using checkprefix() because matching should be case-sensitive */
- if(strncmp(cookie_path, uri_path, cookie_path_len)) {
- ret = FALSE;
- goto pathmatched;
- }
- /* The cookie-path and the uri-path are identical. */
- if(cookie_path_len == uri_path_len) {
- ret = TRUE;
- goto pathmatched;
- }
- /* here, cookie_path_len < uri_path_len */
- if(uri_path[cookie_path_len] == '/') {
- ret = TRUE;
- goto pathmatched;
- }
- ret = FALSE;
- pathmatched:
- free(uri_path);
- return ret;
- }
- /*
- * Return the top-level domain, for optimal hashing.
- */
- static const char *get_top_domain(const char * const domain, size_t *outlen)
- {
- size_t len = 0;
- const char *first = NULL, *last;
- if(domain) {
- len = strlen(domain);
- last = memrchr(domain, '.', len);
- if(last) {
- first = memrchr(domain, '.', (last - domain));
- if(first)
- len -= (++first - domain);
- }
- }
- if(outlen)
- *outlen = len;
- return first ? first : domain;
- }
- /* Avoid C1001, an "internal error" with MSVC14 */
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", off)
- #endif
- /*
- * A case-insensitive hash for the cookie domains.
- */
- static size_t cookie_hash_domain(const char *domain, const size_t len)
- {
- const char *end = domain + len;
- size_t h = 5381;
- while(domain < end) {
- size_t j = (size_t)Curl_raw_toupper(*domain++);
- h += h << 5;
- h ^= j;
- }
- return (h % COOKIE_HASH_SIZE);
- }
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", on)
- #endif
- /*
- * Hash this domain.
- */
- static size_t cookiehash(const char * const domain)
- {
- const char *top;
- size_t len;
- if(!domain || Curl_host_is_ipnum(domain))
- return 0;
- top = get_top_domain(domain, &len);
- return cookie_hash_domain(top, len);
- }
- /*
- * cookie path sanitize
- */
- static char *sanitize_cookie_path(const char *cookie_path)
- {
- size_t len;
- char *new_path = strdup(cookie_path);
- if(!new_path)
- return NULL;
- /* some stupid site sends path attribute with '"'. */
- len = strlen(new_path);
- if(new_path[0] == '\"') {
- memmove(new_path, new_path + 1, len);
- len--;
- }
- if(len && (new_path[len - 1] == '\"')) {
- new_path[--len] = 0x0;
- }
- /* RFC6265 5.2.4 The Path Attribute */
- if(new_path[0] != '/') {
- /* Let cookie-path be the default-path. */
- strstore(&new_path, "/", 1);
- return new_path;
- }
- /* convert /hoge/ to /hoge */
- if(len && new_path[len - 1] == '/') {
- new_path[len - 1] = 0x0;
- }
- return new_path;
- }
- /*
- * Load cookies from all given cookie files (CURLOPT_COOKIEFILE).
- *
- * NOTE: OOM or cookie parsing failures are ignored.
- */
- void Curl_cookie_loadfiles(struct Curl_easy *data)
- {
- struct curl_slist *list = data->state.cookielist;
- if(list) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- while(list) {
- struct CookieInfo *ci =
- Curl_cookie_init(data, list->data, data->cookies,
- data->set.cookiesession);
- if(!ci)
- /*
- * Failure may be due to OOM or a bad cookie; both are ignored
- * but only the first should be
- */
- infof(data, "ignoring failed cookie_init for %s", list->data);
- else
- data->cookies = ci;
- list = list->next;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- }
- /*
- * strstore
- *
- * A thin wrapper around strdup which ensures that any memory allocated at
- * *str will be freed before the string allocated by strdup is stored there.
- * The intended usecase is repeated assignments to the same variable during
- * parsing in a last-wins scenario. The caller is responsible for checking
- * for OOM errors.
- */
- static void strstore(char **str, const char *newstr, size_t len)
- {
- DEBUGASSERT(newstr);
- DEBUGASSERT(str);
- free(*str);
- *str = Curl_memdup0(newstr, len);
- }
- /*
- * remove_expired
- *
- * Remove expired cookies from the hash by inspecting the expires timestamp on
- * each cookie in the hash, freeing and deleting any where the timestamp is in
- * the past. If the cookiejar has recorded the next timestamp at which one or
- * more cookies expire, then processing will exit early in case this timestamp
- * is in the future.
- */
- static void remove_expired(struct CookieInfo *ci)
- {
- struct Cookie *co;
- curl_off_t now = (curl_off_t)time(NULL);
- unsigned int i;
- /*
- * If the earliest expiration timestamp in the jar is in the future we can
- * skip scanning the whole jar and instead exit early as there will not be
- * any cookies to evict. If we need to evict however, reset the
- * next_expiration counter in order to track the next one. In case the
- * recorded first expiration is the max offset, then perform the safe
- * fallback of checking all cookies.
- */
- if(now < ci->next_expiration &&
- ci->next_expiration != CURL_OFF_T_MAX)
- return;
- else
- ci->next_expiration = CURL_OFF_T_MAX;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- struct Curl_llist_node *n;
- struct Curl_llist_node *e = NULL;
- for(n = Curl_llist_head(&ci->cookielist[i]); n; n = e) {
- co = Curl_node_elem(n);
- e = Curl_node_next(n);
- if(co->expires && co->expires < now) {
- Curl_node_remove(n);
- freecookie(co);
- ci->numcookies--;
- }
- else {
- /*
- * If this cookie has an expiration timestamp earlier than what we
- * have seen so far then record it for the next round of expirations.
- */
- if(co->expires && co->expires < ci->next_expiration)
- ci->next_expiration = co->expires;
- }
- }
- }
- }
- #ifndef USE_LIBPSL
- /* Make sure domain contains a dot or is localhost. */
- static bool bad_domain(const char *domain, size_t len)
- {
- if((len == 9) && strncasecompare(domain, "localhost", 9))
- return FALSE;
- else {
- /* there must be a dot present, but that dot must not be a trailing dot */
- char *dot = memchr(domain, '.', len);
- if(dot) {
- size_t i = dot - domain;
- if((len - i) > 1)
- /* the dot is not the last byte */
- return FALSE;
- }
- }
- return TRUE;
- }
- #endif
- /*
- RFC 6265 section 4.1.1 says a server should accept this range:
- cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
- But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
- fine. The prime reason for filtering out control bytes is that some HTTP
- servers return 400 for requests that contain such.
- */
- static int invalid_octets(const char *p)
- {
- /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
- static const char badoctets[] = {
- "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
- "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
- "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
- };
- size_t len;
- /* scan for all the octets that are *not* in cookie-octet */
- len = strcspn(p, badoctets);
- return (p[len] != '\0');
- }
- #define CERR_OK 0
- #define CERR_TOO_LONG 1 /* input line too long */
- #define CERR_TAB 2 /* in a wrong place */
- #define CERR_TOO_BIG 3 /* name/value too large */
- #define CERR_BAD 4 /* deemed incorrect */
- #define CERR_NO_SEP 5 /* semicolon problem */
- #define CERR_NO_NAME_VALUE 6 /* name or value problem */
- #define CERR_INVALID_OCTET 7 /* bad content */
- #define CERR_BAD_SECURE 8 /* secure in a bad place */
- #define CERR_OUT_OF_MEMORY 9
- #define CERR_NO_TAILMATCH 10
- #define CERR_COMMENT 11 /* a commented line */
- #define CERR_RANGE 12 /* expire range problem */
- #define CERR_FIELDS 13 /* incomplete netscape line */
- #define CERR_PSL 14 /* a public suffix */
- #define CERR_LIVE_WINS 15
- /* The maximum length we accept a date string for the 'expire' keyword. The
- standard date formats are within the 30 bytes range. This adds an extra
- margin just to make sure it realistically works with what is used out
- there.
- */
- #define MAX_DATE_LENGTH 80
- static int
- parse_cookie_header(struct Curl_easy *data,
- struct Cookie *co,
- struct CookieInfo *ci,
- const char *ptr,
- const char *domain, /* default domain */
- const char *path, /* full path used when this cookie is
- set, used to get default path for
- the cookie unless set */
- bool secure) /* TRUE if connection is over secure
- origin */
- {
- /* This line was read off an HTTP-header */
- time_t now;
- size_t linelength = strlen(ptr);
- if(linelength > MAX_COOKIE_LINE)
- /* discard overly long lines at once */
- return CERR_TOO_LONG;
- now = time(NULL);
- do {
- size_t vlen;
- size_t nlen;
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- /* we have a <name>=<value> pair or a stand-alone word here */
- nlen = strcspn(ptr, ";\t\r\n=");
- if(nlen) {
- bool done = FALSE;
- bool sep = FALSE;
- const char *namep = ptr;
- const char *valuep;
- ptr += nlen;
- /* trim trailing spaces and tabs after name */
- while(nlen && ISBLANK(namep[nlen - 1]))
- nlen--;
- if(*ptr == '=') {
- vlen = strcspn(++ptr, ";\r\n");
- valuep = ptr;
- sep = TRUE;
- ptr = &valuep[vlen];
- /* Strip off trailing whitespace from the value */
- while(vlen && ISBLANK(valuep[vlen-1]))
- vlen--;
- /* Skip leading whitespace from the value */
- while(vlen && ISBLANK(*valuep)) {
- valuep++;
- vlen--;
- }
- /* Reject cookies with a TAB inside the value */
- if(memchr(valuep, '\t', vlen)) {
- infof(data, "cookie contains TAB, dropping");
- return CERR_TAB;
- }
- }
- else {
- valuep = NULL;
- vlen = 0;
- }
- /*
- * Check for too long individual name or contents, or too long
- * combination of name + contents. Chrome and Firefox support 4095 or
- * 4096 bytes combo
- */
- if(nlen >= (MAX_NAME-1) || vlen >= (MAX_NAME-1) ||
- ((nlen + vlen) > MAX_NAME)) {
- infof(data, "oversized cookie dropped, name/val %zu + %zu bytes",
- nlen, vlen);
- return CERR_TOO_BIG;
- }
- /*
- * Check if we have a reserved prefix set before anything else, as we
- * otherwise have to test for the prefix in both the cookie name and
- * "the rest". Prefixes must start with '__' and end with a '-', so
- * only test for names where that can possibly be true.
- */
- if(nlen >= 7 && namep[0] == '_' && namep[1] == '_') {
- if(strncasecompare("__Secure-", namep, 9))
- co->prefix_secure = TRUE;
- else if(strncasecompare("__Host-", namep, 7))
- co->prefix_host = TRUE;
- }
- /*
- * Use strstore() below to properly deal with received cookie
- * headers that have the same string property set more than once,
- * and then we use the last one.
- */
- if(!co->name) {
- /* The very first name/value pair is the actual cookie name */
- if(!sep)
- /* Bad name/value pair. */
- return CERR_NO_SEP;
- strstore(&co->name, namep, nlen);
- strstore(&co->value, valuep, vlen);
- done = TRUE;
- if(!co->name || !co->value)
- return CERR_NO_NAME_VALUE;
- if(invalid_octets(co->value) || invalid_octets(co->name)) {
- infof(data, "invalid octets in name/value, cookie dropped");
- return CERR_INVALID_OCTET;
- }
- }
- else if(!vlen) {
- /*
- * this was a "<name>=" with no content, and we must allow
- * 'secure' and 'httponly' specified this weirdly
- */
- done = TRUE;
- /*
- * secure cookies are only allowed to be set when the connection is
- * using a secure protocol, or when the cookie is being set by
- * reading from file
- */
- if((nlen == 6) && strncasecompare("secure", namep, 6)) {
- if(secure || !ci->running) {
- co->secure = TRUE;
- }
- else {
- return CERR_BAD_SECURE;
- }
- }
- else if((nlen == 8) && strncasecompare("httponly", namep, 8))
- co->httponly = TRUE;
- else if(sep)
- /* there was a '=' so we are not done parsing this field */
- done = FALSE;
- }
- if(done)
- ;
- else if((nlen == 4) && strncasecompare("path", namep, 4)) {
- strstore(&co->path, valuep, vlen);
- if(!co->path)
- return CERR_OUT_OF_MEMORY;
- free(co->spath); /* if this is set again */
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath)
- return CERR_OUT_OF_MEMORY;
- }
- else if((nlen == 6) &&
- strncasecompare("domain", namep, 6) && vlen) {
- bool is_ip;
- /*
- * Now, we make sure that our host is within the given domain, or
- * the given domain is not valid and thus cannot be set.
- */
- if('.' == valuep[0]) {
- valuep++; /* ignore preceding dot */
- vlen--;
- }
- #ifndef USE_LIBPSL
- /*
- * Without PSL we do not know when the incoming cookie is set on a
- * TLD or otherwise "protected" suffix. To reduce risk, we require a
- * dot OR the exact hostname being "localhost".
- */
- if(bad_domain(valuep, vlen))
- domain = ":";
- #endif
- is_ip = Curl_host_is_ipnum(domain ? domain : valuep);
- if(!domain
- || (is_ip && !strncmp(valuep, domain, vlen) &&
- (vlen == strlen(domain)))
- || (!is_ip && cookie_tailmatch(valuep, vlen, domain))) {
- strstore(&co->domain, valuep, vlen);
- if(!co->domain)
- return CERR_OUT_OF_MEMORY;
- if(!is_ip)
- co->tailmatch = TRUE; /* we always do that if the domain name was
- given */
- }
- else {
- /*
- * We did not get a tailmatch and then the attempted set domain is
- * not a domain to which the current host belongs. Mark as bad.
- */
- infof(data, "skipped cookie with bad tailmatch domain: %s",
- valuep);
- return CERR_NO_TAILMATCH;
- }
- }
- else if((nlen == 7) && strncasecompare("version", namep, 7)) {
- /* just ignore */
- }
- else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
- /*
- * Defined in RFC2109:
- *
- * Optional. The Max-Age attribute defines the lifetime of the
- * cookie, in seconds. The delta-seconds value is a decimal non-
- * negative integer. After delta-seconds seconds elapse, the
- * client should discard the cookie. A value of zero means the
- * cookie should be discarded immediately.
- */
- CURLofft offt;
- const char *maxage = valuep;
- offt = curlx_strtoofft((*maxage == '\"') ?
- &maxage[1] : &maxage[0], NULL, 10,
- &co->expires);
- switch(offt) {
- case CURL_OFFT_FLOW:
- /* overflow, used max value */
- co->expires = CURL_OFF_T_MAX;
- break;
- case CURL_OFFT_INVAL:
- /* negative or otherwise bad, expire */
- co->expires = 1;
- break;
- case CURL_OFFT_OK:
- if(!co->expires)
- /* already expired */
- co->expires = 1;
- else if(CURL_OFF_T_MAX - now < co->expires)
- /* would overflow */
- co->expires = CURL_OFF_T_MAX;
- else
- co->expires += now;
- break;
- }
- }
- else if((nlen == 7) && strncasecompare("expires", namep, 7)) {
- if(!co->expires && (vlen < MAX_DATE_LENGTH)) {
- /*
- * Let max-age have priority.
- *
- * If the date cannot get parsed for whatever reason, the cookie
- * will be treated as a session cookie
- */
- char dbuf[MAX_DATE_LENGTH + 1];
- memcpy(dbuf, valuep, vlen);
- dbuf[vlen] = 0;
- co->expires = Curl_getdate_capped(dbuf);
- /*
- * Session cookies have expires set to 0 so if we get that back
- * from the date parser let's add a second to make it a
- * non-session cookie
- */
- if(co->expires == 0)
- co->expires = 1;
- else if(co->expires < 0)
- co->expires = 0;
- }
- }
- /*
- * Else, this is the second (or more) name we do not know about!
- */
- }
- else {
- /* this is an "illegal" <what>=<this> pair */
- }
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- if(*ptr == ';')
- ptr++;
- else
- break;
- } while(1);
- if(!co->domain && domain) {
- /* no domain was given in the header line, set the default */
- co->domain = strdup(domain);
- if(!co->domain)
- return CERR_OUT_OF_MEMORY;
- }
- if(!co->path && path) {
- /*
- * No path was given in the header line, set the default. Note that the
- * passed-in path to this function MAY have a '?' and following part that
- * MUST NOT be stored as part of the path.
- */
- char *queryp = strchr(path, '?');
- /*
- * queryp is where the interesting part of the path ends, so now we
- * want to the find the last
- */
- char *endslash;
- if(!queryp)
- endslash = strrchr(path, '/');
- else
- endslash = memrchr(path, '/', (queryp - path));
- if(endslash) {
- size_t pathlen = (endslash-path + 1); /* include end slash */
- co->path = Curl_memdup0(path, pathlen);
- if(co->path) {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath)
- return CERR_OUT_OF_MEMORY;
- }
- else
- return CERR_OUT_OF_MEMORY;
- }
- }
- /*
- * If we did not get a cookie name, or a bad one, the this is an illegal
- * line so bail out.
- */
- if(!co->name)
- return CERR_BAD;
- data->req.setcookies++;
- return CERR_OK;
- }
- static int
- parse_netscape(struct Cookie *co,
- struct CookieInfo *ci,
- const char *lineptr,
- bool secure) /* TRUE if connection is over secure
- origin */
- {
- /*
- * This line is NOT an HTTP header style line, we do offer support for
- * reading the odd netscape cookies-file format here
- */
- char *ptr;
- char *firstptr;
- char *tok_buf = NULL;
- int fields;
- /*
- * In 2008, Internet Explorer introduced HTTP-only cookies to prevent XSS
- * attacks. Cookies marked httpOnly are not accessible to JavaScript. In
- * Firefox's cookie files, they are prefixed #HttpOnly_ and the rest
- * remains as usual, so we skip 10 characters of the line.
- */
- if(strncmp(lineptr, "#HttpOnly_", 10) == 0) {
- lineptr += 10;
- co->httponly = TRUE;
- }
- if(lineptr[0]=='#')
- /* do not even try the comments */
- return CERR_COMMENT;
- /* strip off the possible end-of-line characters */
- ptr = strchr(lineptr, '\r');
- if(ptr)
- *ptr = 0; /* clear it */
- ptr = strchr(lineptr, '\n');
- if(ptr)
- *ptr = 0; /* clear it */
- /* tokenize on TAB */
- firstptr = Curl_strtok_r((char *)lineptr, "\t", &tok_buf);
- /*
- * Now loop through the fields and init the struct we already have
- * allocated
- */
- fields = 0;
- for(ptr = firstptr; ptr;
- ptr = Curl_strtok_r(NULL, "\t", &tok_buf), fields++) {
- switch(fields) {
- case 0:
- if(ptr[0]=='.') /* skip preceding dots */
- ptr++;
- co->domain = strdup(ptr);
- if(!co->domain)
- return CERR_OUT_OF_MEMORY;
- break;
- case 1:
- /*
- * flag: A TRUE/FALSE value indicating if all machines within a given
- * domain can access the variable. Set TRUE when the cookie says
- * .domain.com and to false when the domain is complete www.domain.com
- */
- co->tailmatch = !!strcasecompare(ptr, "TRUE");
- break;
- case 2:
- /* The file format allows the path field to remain not filled in */
- if(strcmp("TRUE", ptr) && strcmp("FALSE", ptr)) {
- /* only if the path does not look like a boolean option! */
- co->path = strdup(ptr);
- if(!co->path)
- return CERR_OUT_OF_MEMORY;
- else {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath)
- return CERR_OUT_OF_MEMORY;
- }
- break;
- }
- /* this does not look like a path, make one up! */
- co->path = strdup("/");
- if(!co->path)
- return CERR_OUT_OF_MEMORY;
- co->spath = strdup("/");
- if(!co->spath)
- return CERR_OUT_OF_MEMORY;
- fields++; /* add a field and fall down to secure */
- FALLTHROUGH();
- case 3:
- co->secure = FALSE;
- if(strcasecompare(ptr, "TRUE")) {
- if(secure || ci->running)
- co->secure = TRUE;
- else
- return CERR_BAD_SECURE;
- }
- break;
- case 4:
- if(curlx_strtoofft(ptr, NULL, 10, &co->expires))
- return CERR_RANGE;
- break;
- case 5:
- co->name = strdup(ptr);
- if(!co->name)
- return CERR_OUT_OF_MEMORY;
- else {
- /* For Netscape file format cookies we check prefix on the name */
- if(strncasecompare("__Secure-", co->name, 9))
- co->prefix_secure = TRUE;
- else if(strncasecompare("__Host-", co->name, 7))
- co->prefix_host = TRUE;
- }
- break;
- case 6:
- co->value = strdup(ptr);
- if(!co->value)
- return CERR_OUT_OF_MEMORY;
- break;
- }
- }
- if(6 == fields) {
- /* we got a cookie with blank contents, fix it */
- co->value = strdup("");
- if(!co->value)
- return CERR_OUT_OF_MEMORY;
- else
- fields++;
- }
- if(7 != fields)
- /* we did not find the sufficient number of fields */
- return CERR_FIELDS;
- return CERR_OK;
- }
- static int
- is_public_suffix(struct Curl_easy *data,
- struct Cookie *co,
- const char *domain)
- {
- #ifdef USE_LIBPSL
- /*
- * Check if the domain is a Public Suffix and if yes, ignore the cookie. We
- * must also check that the data handle is not NULL since the psl code will
- * dereference it.
- */
- DEBUGF(infof(data, "PSL check set-cookie '%s' for domain=%s in %s",
- co->name, co->domain, domain));
- if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
- bool acceptable = FALSE;
- char lcase[256];
- char lcookie[256];
- size_t dlen = strlen(domain);
- size_t clen = strlen(co->domain);
- if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- if(psl) {
- /* the PSL check requires lowercase domain name and pattern */
- Curl_strntolower(lcase, domain, dlen + 1);
- Curl_strntolower(lcookie, co->domain, clen + 1);
- acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
- Curl_psl_release(data);
- }
- else
- infof(data, "libpsl problem, rejecting cookie for satety");
- }
- if(!acceptable) {
- infof(data, "cookie '%s' dropped, domain '%s' must not "
- "set cookies for '%s'", co->name, domain, co->domain);
- return CERR_PSL;
- }
- }
- #else
- (void)data;
- (void)co;
- (void)domain;
- DEBUGF(infof(data, "NO PSL to check set-cookie '%s' for domain=%s in %s",
- co->name, co->domain, domain));
- #endif
- return CERR_OK;
- }
- static int
- replace_existing(struct Curl_easy *data,
- struct Cookie *co,
- struct CookieInfo *ci,
- bool secure,
- bool *replacep)
- {
- bool replace_old = FALSE;
- struct Curl_llist_node *replace_n = NULL;
- struct Curl_llist_node *n;
- size_t myhash = cookiehash(co->domain);
- for(n = Curl_llist_head(&ci->cookielist[myhash]); n; n = Curl_node_next(n)) {
- struct Cookie *clist = Curl_node_elem(n);
- if(!strcmp(clist->name, co->name)) {
- /* the names are identical */
- bool matching_domains = FALSE;
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain))
- /* The domains are identical */
- matching_domains = TRUE;
- }
- else if(!clist->domain && !co->domain)
- matching_domains = TRUE;
- if(matching_domains && /* the domains were identical */
- clist->spath && co->spath && /* both have paths */
- clist->secure && !co->secure && !secure) {
- size_t cllen;
- const char *sep;
- /*
- * A non-secure cookie may not overlay an existing secure cookie.
- * For an existing cookie "a" with path "/login", refuse a new
- * cookie "a" with for example path "/login/en", while the path
- * "/loginhelper" is ok.
- */
- sep = strchr(clist->spath + 1, '/');
- if(sep)
- cllen = sep - clist->spath;
- else
- cllen = strlen(clist->spath);
- if(strncasecompare(clist->spath, co->spath, cllen)) {
- infof(data, "cookie '%s' for domain '%s' dropped, would "
- "overlay an existing cookie", co->name, co->domain);
- return CERR_BAD_SECURE;
- }
- }
- }
- if(!replace_n && !strcmp(clist->name, co->name)) {
- /* the names are identical */
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain) &&
- (clist->tailmatch == co->tailmatch))
- /* The domains are identical */
- replace_old = TRUE;
- }
- else if(!clist->domain && !co->domain)
- replace_old = TRUE;
- if(replace_old) {
- /* the domains were identical */
- if(clist->spath && co->spath &&
- !strcasecompare(clist->spath, co->spath))
- replace_old = FALSE;
- else if(!clist->spath != !co->spath)
- replace_old = FALSE;
- }
- if(replace_old && !co->livecookie && clist->livecookie) {
- /*
- * Both cookies matched fine, except that the already present cookie
- * is "live", which means it was set from a header, while the new one
- * was read from a file and thus is not "live". "live" cookies are
- * preferred so the new cookie is freed.
- */
- return CERR_LIVE_WINS;
- }
- if(replace_old)
- replace_n = n;
- }
- }
- if(replace_n) {
- struct Cookie *repl = Curl_node_elem(replace_n);
- /* when replacing, creationtime is kept from old */
- co->creationtime = repl->creationtime;
- /* unlink the old */
- Curl_node_remove(replace_n);
- /* free the old cookie */
- freecookie(repl);
- }
- *replacep = replace_old;
- return CERR_OK;
- }
- /*
- * Curl_cookie_add
- *
- * Add a single cookie line to the cookie keeping object. Be aware that
- * sometimes we get an IP-only hostname, and that might also be a numerical
- * IPv6 address.
- *
- * Returns NULL on out of memory or invalid cookie. This is suboptimal,
- * as they should be treated separately.
- */
- struct Cookie *
- Curl_cookie_add(struct Curl_easy *data,
- struct CookieInfo *ci,
- bool httpheader, /* TRUE if HTTP header-style line */
- bool noexpire, /* if TRUE, skip remove_expired() */
- const char *lineptr, /* first character of the line */
- const char *domain, /* default domain */
- const char *path, /* full path used when this cookie is set,
- used to get default path for the cookie
- unless set */
- bool secure) /* TRUE if connection is over secure origin */
- {
- struct Cookie *co;
- size_t myhash;
- int rc;
- bool replaces = FALSE;
- DEBUGASSERT(data);
- DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
- if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
- return NULL;
- /* First, alloc and init a new struct for it */
- co = calloc(1, sizeof(struct Cookie));
- if(!co)
- return NULL; /* bail out if we are this low on memory */
- if(httpheader)
- rc = parse_cookie_header(data, co, ci, lineptr, domain, path, secure);
- else
- rc = parse_netscape(co, ci, lineptr, secure);
- if(rc)
- goto fail;
- if(co->prefix_secure && !co->secure)
- /* The __Secure- prefix only requires that the cookie be set secure */
- goto fail;
- if(co->prefix_host) {
- /*
- * The __Host- prefix requires the cookie to be secure, have a "/" path
- * and not have a domain set.
- */
- if(co->secure && co->path && strcmp(co->path, "/") == 0 && !co->tailmatch)
- ;
- else
- goto fail;
- }
- if(!ci->running && /* read from a file */
- ci->newsession && /* clean session cookies */
- !co->expires) /* this is a session cookie since it does not expire */
- goto fail;
- co->livecookie = ci->running;
- co->creationtime = ++ci->lastct;
- /*
- * Now we have parsed the incoming line, we must now check if this supersedes
- * an already existing cookie, which it may if the previous have the same
- * domain and path as this.
- */
- /* remove expired cookies */
- if(!noexpire)
- remove_expired(ci);
- if(is_public_suffix(data, co, domain))
- goto fail;
- if(replace_existing(data, co, ci, secure, &replaces))
- goto fail;
- /* add this cookie to the list */
- myhash = cookiehash(co->domain);
- Curl_llist_append(&ci->cookielist[myhash], co, &co->node);
- if(ci->running)
- /* Only show this when NOT reading the cookies from a file */
- infof(data, "%s cookie %s=\"%s\" for domain %s, path %s, "
- "expire %" FMT_OFF_T,
- replaces ? "Replaced":"Added", co->name, co->value,
- co->domain, co->path, co->expires);
- if(!replaces)
- ci->numcookies++; /* one more cookie in the jar */
- /*
- * Now that we have added a new cookie to the jar, update the expiration
- * tracker in case it is the next one to expire.
- */
- if(co->expires && (co->expires < ci->next_expiration))
- ci->next_expiration = co->expires;
- return co;
- fail:
- freecookie(co);
- return NULL;
- }
- /*
- * Curl_cookie_init()
- *
- * Inits a cookie struct to read data from a local file. This is always
- * called before any cookies are set. File may be NULL in which case only the
- * struct is initialized. Is file is "-" then STDIN is read.
- *
- * If 'newsession' is TRUE, discard all "session cookies" on read from file.
- *
- * Note that 'data' might be called as NULL pointer. If data is NULL, 'file'
- * will be ignored.
- *
- * Returns NULL on out of memory. Invalid cookies are ignored.
- */
- struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
- const char *file,
- struct CookieInfo *ci,
- bool newsession)
- {
- FILE *handle = NULL;
- if(!ci) {
- int i;
- /* we did not get a struct, create one */
- ci = calloc(1, sizeof(struct CookieInfo));
- if(!ci)
- return NULL; /* failed to get memory */
- /* This does not use the destructor callback since we want to add
- and remove to lists while keeping the cookie struct intact */
- for(i = 0; i < COOKIE_HASH_SIZE; i++)
- Curl_llist_init(&ci->cookielist[i], NULL);
- /*
- * Initialize the next_expiration time to signal that we do not have enough
- * information yet.
- */
- ci->next_expiration = CURL_OFF_T_MAX;
- }
- ci->newsession = newsession; /* new session? */
- if(data) {
- FILE *fp = NULL;
- if(file && *file) {
- if(!strcmp(file, "-"))
- fp = stdin;
- else {
- fp = fopen(file, "rb");
- if(!fp)
- infof(data, "WARNING: failed to open cookie file \"%s\"", file);
- else
- handle = fp;
- }
- }
- ci->running = FALSE; /* this is not running, this is init */
- if(fp) {
- struct dynbuf buf;
- Curl_dyn_init(&buf, MAX_COOKIE_LINE);
- while(Curl_get_line(&buf, fp)) {
- char *lineptr = Curl_dyn_ptr(&buf);
- bool headerline = FALSE;
- if(checkprefix("Set-Cookie:", lineptr)) {
- /* This is a cookie line, get it! */
- lineptr += 11;
- headerline = TRUE;
- while(*lineptr && ISBLANK(*lineptr))
- lineptr++;
- }
- Curl_cookie_add(data, ci, headerline, TRUE, lineptr, NULL, NULL, TRUE);
- }
- Curl_dyn_free(&buf); /* free the line buffer */
- /*
- * Remove expired cookies from the hash. We must make sure to run this
- * after reading the file, and not on every cookie.
- */
- remove_expired(ci);
- if(handle)
- fclose(handle);
- }
- data->state.cookie_engine = TRUE;
- }
- ci->running = TRUE; /* now, we are running */
- return ci;
- }
- /*
- * cookie_sort
- *
- * Helper function to sort cookies such that the longest path gets before the
- * shorter path. Path, domain and name lengths are considered in that order,
- * with the creationtime as the tiebreaker. The creationtime is guaranteed to
- * be unique per cookie, so we know we will get an ordering at that point.
- */
- static int cookie_sort(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- size_t l1, l2;
- /* 1 - compare cookie path lengths */
- l1 = c1->path ? strlen(c1->path) : 0;
- l2 = c2->path ? strlen(c2->path) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 2 - compare cookie domain lengths */
- l1 = c1->domain ? strlen(c1->domain) : 0;
- l2 = c2->domain ? strlen(c2->domain) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 3 - compare cookie name lengths */
- l1 = c1->name ? strlen(c1->name) : 0;
- l2 = c2->name ? strlen(c2->name) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1;
- /* 4 - compare cookie creation time */
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- /*
- * cookie_sort_ct
- *
- * Helper function to sort cookies according to creation time.
- */
- static int cookie_sort_ct(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- /*
- * Curl_cookie_getlist
- *
- * For a given host and path, return a linked list of cookies that the client
- * should send to the server if used now. The secure boolean informs the cookie
- * if a secure connection is achieved or not.
- *
- * It shall only return cookies that have not expired.
- *
- * Returns 0 when there is a list returned. Otherwise non-zero.
- */
- int Curl_cookie_getlist(struct Curl_easy *data,
- struct CookieInfo *ci,
- const char *host, const char *path,
- bool secure,
- struct Curl_llist *list)
- {
- size_t matches = 0;
- bool is_ip;
- const size_t myhash = cookiehash(host);
- struct Curl_llist_node *n;
- Curl_llist_init(list, NULL);
- if(!ci || !Curl_llist_count(&ci->cookielist[myhash]))
- return 1; /* no cookie struct or no cookies in the struct */
- /* at first, remove expired cookies */
- remove_expired(ci);
- /* check if host is an IP(v4|v6) address */
- is_ip = Curl_host_is_ipnum(host);
- for(n = Curl_llist_head(&ci->cookielist[myhash]);
- n; n = Curl_node_next(n)) {
- struct Cookie *co = Curl_node_elem(n);
- /* if the cookie requires we are secure we must only continue if we are! */
- if(co->secure ? secure : TRUE) {
- /* now check if the domain is correct */
- if(!co->domain ||
- (co->tailmatch && !is_ip &&
- cookie_tailmatch(co->domain, strlen(co->domain), host)) ||
- ((!co->tailmatch || is_ip) && strcasecompare(host, co->domain)) ) {
- /*
- * the right part of the host matches the domain stuff in the
- * cookie data
- */
- /*
- * now check the left part of the path with the cookies path
- * requirement
- */
- if(!co->spath || pathmatch(co->spath, path) ) {
- /*
- * This is a match and we add it to the return-linked-list
- */
- Curl_llist_append(list, co, &co->getnode);
- matches++;
- if(matches >= MAX_COOKIE_SEND_AMOUNT) {
- infof(data, "Included max number of cookies (%zu) in request!",
- matches);
- break;
- }
- }
- }
- }
- }
- if(matches) {
- /*
- * Now we need to make sure that if there is a name appearing more than
- * once, the longest specified path version comes first. To make this
- * the swiftest way, we just sort them all based on path length.
- */
- struct Cookie **array;
- size_t i;
- /* alloc an array and store all cookie pointers */
- array = malloc(sizeof(struct Cookie *) * matches);
- if(!array)
- goto fail;
- n = Curl_llist_head(list);
- for(i = 0; n; n = Curl_node_next(n))
- array[i++] = Curl_node_elem(n);
- /* now sort the cookie pointers in path length order */
- qsort(array, matches, sizeof(struct Cookie *), cookie_sort);
- /* remake the linked list order according to the new order */
- Curl_llist_destroy(list, NULL);
- for(i = 0; i < matches; i++)
- Curl_llist_append(list, array[i], &array[i]->getnode);
- free(array); /* remove the temporary data again */
- }
- return 0; /* success */
- fail:
- /* failure, clear up the allocated chain and return NULL */
- Curl_llist_destroy(list, NULL);
- return 2; /* error */
- }
- /*
- * Curl_cookie_clearall
- *
- * Clear all existing cookies and reset the counter.
- */
- void Curl_cookie_clearall(struct CookieInfo *ci)
- {
- if(ci) {
- unsigned int i;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- struct Curl_llist_node *n;
- for(n = Curl_llist_head(&ci->cookielist[i]); n;) {
- struct Cookie *c = Curl_node_elem(n);
- struct Curl_llist_node *e = Curl_node_next(n);
- Curl_node_remove(n);
- freecookie(c);
- n = e;
- }
- }
- ci->numcookies = 0;
- }
- }
- /*
- * Curl_cookie_clearsess
- *
- * Free all session cookies in the cookies list.
- */
- void Curl_cookie_clearsess(struct CookieInfo *ci)
- {
- unsigned int i;
- if(!ci)
- return;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- struct Curl_llist_node *n = Curl_llist_head(&ci->cookielist[i]);
- struct Curl_llist_node *e = NULL;
- for(; n; n = e) {
- struct Cookie *curr = Curl_node_elem(n);
- e = Curl_node_next(n); /* in case the node is removed, get it early */
- if(!curr->expires) {
- Curl_node_remove(n);
- freecookie(curr);
- ci->numcookies--;
- }
- }
- }
- }
- /*
- * Curl_cookie_cleanup()
- *
- * Free a "cookie object" previous created with Curl_cookie_init().
- */
- void Curl_cookie_cleanup(struct CookieInfo *ci)
- {
- if(ci) {
- Curl_cookie_clearall(ci);
- free(ci); /* free the base struct as well */
- }
- }
- /*
- * get_netscape_format()
- *
- * Formats a string for Netscape output file, w/o a newline at the end.
- * Function returns a char * to a formatted line. The caller is responsible
- * for freeing the returned pointer.
- */
- static char *get_netscape_format(const struct Cookie *co)
- {
- return aprintf(
- "%s" /* httponly preamble */
- "%s%s\t" /* domain */
- "%s\t" /* tailmatch */
- "%s\t" /* path */
- "%s\t" /* secure */
- "%" FMT_OFF_T "\t" /* expires */
- "%s\t" /* name */
- "%s", /* value */
- co->httponly ? "#HttpOnly_" : "",
- /*
- * Make sure all domains are prefixed with a dot if they allow
- * tailmatching. This is Mozilla-style.
- */
- (co->tailmatch && co->domain && co->domain[0] != '.') ? "." : "",
- co->domain ? co->domain : "unknown",
- co->tailmatch ? "TRUE" : "FALSE",
- co->path ? co->path : "/",
- co->secure ? "TRUE" : "FALSE",
- co->expires,
- co->name,
- co->value ? co->value : "");
- }
- /*
- * cookie_output()
- *
- * Writes all internally known cookies to the specified file. Specify
- * "-" as filename to write to stdout.
- *
- * The function returns non-zero on write failure.
- */
- static CURLcode cookie_output(struct Curl_easy *data,
- struct CookieInfo *ci,
- const char *filename)
- {
- FILE *out = NULL;
- bool use_stdout = FALSE;
- char *tempstore = NULL;
- CURLcode error = CURLE_OK;
- if(!ci)
- /* no cookie engine alive */
- return CURLE_OK;
- /* at first, remove expired cookies */
- remove_expired(ci);
- if(!strcmp("-", filename)) {
- /* use stdout */
- out = stdout;
- use_stdout = TRUE;
- }
- else {
- error = Curl_fopen(data, filename, &out, &tempstore);
- if(error)
- goto error;
- }
- fputs("# Netscape HTTP Cookie File\n"
- "# https://curl.se/docs/http-cookies.html\n"
- "# This file was generated by libcurl! Edit at your own risk.\n\n",
- out);
- if(ci->numcookies) {
- unsigned int i;
- size_t nvalid = 0;
- struct Cookie **array;
- struct Curl_llist_node *n;
- array = calloc(1, sizeof(struct Cookie *) * ci->numcookies);
- if(!array) {
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- /* only sort the cookies with a domain property */
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(n = Curl_llist_head(&ci->cookielist[i]); n;
- n = Curl_node_next(n)) {
- struct Cookie *co = Curl_node_elem(n);
- if(!co->domain)
- continue;
- array[nvalid++] = co;
- }
- }
- qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
- for(i = 0; i < nvalid; i++) {
- char *format_ptr = get_netscape_format(array[i]);
- if(!format_ptr) {
- free(array);
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- fprintf(out, "%s\n", format_ptr);
- free(format_ptr);
- }
- free(array);
- }
- if(!use_stdout) {
- fclose(out);
- out = NULL;
- if(tempstore && Curl_rename(tempstore, filename)) {
- unlink(tempstore);
- error = CURLE_WRITE_ERROR;
- goto error;
- }
- }
- /*
- * If we reach here we have successfully written a cookie file so there is
- * no need to inspect the error, any error case should have jumped into the
- * error block below.
- */
- free(tempstore);
- return CURLE_OK;
- error:
- if(out && !use_stdout)
- fclose(out);
- free(tempstore);
- return error;
- }
- static struct curl_slist *cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list = NULL;
- struct curl_slist *beg;
- unsigned int i;
- struct Curl_llist_node *n;
- if(!data->cookies || (data->cookies->numcookies == 0))
- return NULL;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(n = Curl_llist_head(&data->cookies->cookielist[i]); n;
- n = Curl_node_next(n)) {
- struct Cookie *c = Curl_node_elem(n);
- char *line;
- if(!c->domain)
- continue;
- line = get_netscape_format(c);
- if(!line) {
- curl_slist_free_all(list);
- return NULL;
- }
- beg = Curl_slist_append_nodup(list, line);
- if(!beg) {
- free(line);
- curl_slist_free_all(list);
- return NULL;
- }
- list = beg;
- }
- }
- return list;
- }
- struct curl_slist *Curl_cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list;
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- list = cookie_list(data);
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- return list;
- }
- void Curl_flush_cookies(struct Curl_easy *data, bool cleanup)
- {
- CURLcode res;
- if(data->set.str[STRING_COOKIEJAR]) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- /* if we have a destination file for all the cookies to get dumped to */
- res = cookie_output(data, data->cookies, data->set.str[STRING_COOKIEJAR]);
- if(res)
- infof(data, "WARNING: failed to save cookies in %s: %s",
- data->set.str[STRING_COOKIEJAR], curl_easy_strerror(res));
- }
- else {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- }
- if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
- Curl_cookie_cleanup(data->cookies);
- data->cookies = NULL;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_COOKIES */
|