12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772 |
- /***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
- /***
- RECEIVING COOKIE INFORMATION
- ============================
- struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
- const char *file, struct CookieInfo *inc, bool newsession);
- Inits a cookie struct to store data in a local file. This is always
- called before any cookies are set.
- struct Cookie *Curl_cookie_add(struct Curl_easy *data,
- struct CookieInfo *c, bool httpheader, bool noexpire,
- char *lineptr, const char *domain, const char *path,
- bool secure);
- The 'lineptr' parameter is a full "Set-cookie:" line as
- received from a server.
- The function need to replace previously stored lines that this new
- line supersedes.
- It may remove lines that are expired.
- It should return an indication of success/error.
- SENDING COOKIE INFORMATION
- ==========================
- struct Cookies *Curl_cookie_getlist(struct CookieInfo *cookie,
- char *host, char *path, bool secure);
- For a given host and path, return a linked list of cookies that
- the client should send to the server if used now. The secure
- boolean informs the cookie if a secure connection is achieved or
- not.
- It shall only return cookies that haven't expired.
- Example set of cookies:
- Set-cookie: PRODUCTINFO=webxpress; domain=.fidelity.com; path=/; secure
- Set-cookie: PERSONALIZE=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/ftgw; secure
- Set-cookie: FidHist=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidOrder=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: DisPend=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidDis=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie:
- Session_Key@6791a9e0-901a-11d0-a1c8-9b012c88aa77=none;expires=Monday,
- 13-Jun-1988 03:04:55 GMT; domain=.fidelity.com; path=/; secure
- ****/
- #include "curl_setup.h"
- #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_COOKIES)
- #include "urldata.h"
- #include "cookie.h"
- #include "psl.h"
- #include "strtok.h"
- #include "sendf.h"
- #include "slist.h"
- #include "share.h"
- #include "strtoofft.h"
- #include "strcase.h"
- #include "curl_get_line.h"
- #include "curl_memrchr.h"
- #include "parsedate.h"
- #include "rename.h"
- #include "fopen.h"
- #include "strdup.h"
- /* The last 3 #include files should be in this order */
- #include "curl_printf.h"
- #include "curl_memory.h"
- #include "memdebug.h"
- static void strstore(char **str, const char *newstr, size_t len);
- static void freecookie(struct Cookie *co)
- {
- free(co->domain);
- free(co->path);
- free(co->spath);
- free(co->name);
- free(co->value);
- free(co);
- }
- static bool cookie_tailmatch(const char *cookie_domain,
- size_t cookie_domain_len,
- const char *hostname)
- {
- size_t hostname_len = strlen(hostname);
- if(hostname_len < cookie_domain_len)
- return FALSE;
- if(!strncasecompare(cookie_domain,
- hostname + hostname_len-cookie_domain_len,
- cookie_domain_len))
- return FALSE;
- /*
- * A lead char of cookie_domain is not '.'.
- * RFC6265 4.1.2.3. The Domain Attribute says:
- * For example, if the value of the Domain attribute is
- * "example.com", the user agent will include the cookie in the Cookie
- * header when making HTTP requests to example.com, www.example.com, and
- * www.corp.example.com.
- */
- if(hostname_len == cookie_domain_len)
- return TRUE;
- if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
- return TRUE;
- return FALSE;
- }
- /*
- * matching cookie path and url path
- * RFC6265 5.1.4 Paths and Path-Match
- */
- static bool pathmatch(const char *cookie_path, const char *request_uri)
- {
- size_t cookie_path_len;
- size_t uri_path_len;
- char *uri_path = NULL;
- char *pos;
- bool ret = FALSE;
- /* cookie_path must not have last '/' separator. ex: /sample */
- cookie_path_len = strlen(cookie_path);
- if(1 == cookie_path_len) {
- /* cookie_path must be '/' */
- return TRUE;
- }
- uri_path = strdup(request_uri);
- if(!uri_path)
- return FALSE;
- pos = strchr(uri_path, '?');
- if(pos)
- *pos = 0x0;
- /* #-fragments are already cut off! */
- if(0 == strlen(uri_path) || uri_path[0] != '/') {
- strstore(&uri_path, "/", 1);
- if(!uri_path)
- return FALSE;
- }
- /*
- * here, RFC6265 5.1.4 says
- * 4. Output the characters of the uri-path from the first character up
- * to, but not including, the right-most %x2F ("/").
- * but URL path /hoge?fuga=xxx means /hoge/index.cgi?fuga=xxx in some site
- * without redirect.
- * Ignore this algorithm because /hoge is uri path for this case
- * (uri path is not /).
- */
- uri_path_len = strlen(uri_path);
- if(uri_path_len < cookie_path_len) {
- ret = FALSE;
- goto pathmatched;
- }
- /* not using checkprefix() because matching should be case-sensitive */
- if(strncmp(cookie_path, uri_path, cookie_path_len)) {
- ret = FALSE;
- goto pathmatched;
- }
- /* The cookie-path and the uri-path are identical. */
- if(cookie_path_len == uri_path_len) {
- ret = TRUE;
- goto pathmatched;
- }
- /* here, cookie_path_len < uri_path_len */
- if(uri_path[cookie_path_len] == '/') {
- ret = TRUE;
- goto pathmatched;
- }
- ret = FALSE;
- pathmatched:
- free(uri_path);
- return ret;
- }
- /*
- * Return the top-level domain, for optimal hashing.
- */
- static const char *get_top_domain(const char * const domain, size_t *outlen)
- {
- size_t len = 0;
- const char *first = NULL, *last;
- if(domain) {
- len = strlen(domain);
- last = memrchr(domain, '.', len);
- if(last) {
- first = memrchr(domain, '.', (last - domain));
- if(first)
- len -= (++first - domain);
- }
- }
- if(outlen)
- *outlen = len;
- return first? first: domain;
- }
- /* Avoid C1001, an "internal error" with MSVC14 */
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", off)
- #endif
- /*
- * A case-insensitive hash for the cookie domains.
- */
- static size_t cookie_hash_domain(const char *domain, const size_t len)
- {
- const char *end = domain + len;
- size_t h = 5381;
- while(domain < end) {
- size_t j = (size_t)Curl_raw_toupper(*domain++);
- h += h << 5;
- h ^= j;
- }
- return (h % COOKIE_HASH_SIZE);
- }
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", on)
- #endif
- /*
- * Hash this domain.
- */
- static size_t cookiehash(const char * const domain)
- {
- const char *top;
- size_t len;
- if(!domain || Curl_host_is_ipnum(domain))
- return 0;
- top = get_top_domain(domain, &len);
- return cookie_hash_domain(top, len);
- }
- /*
- * cookie path sanitize
- */
- static char *sanitize_cookie_path(const char *cookie_path)
- {
- size_t len;
- char *new_path = strdup(cookie_path);
- if(!new_path)
- return NULL;
- /* some stupid site sends path attribute with '"'. */
- len = strlen(new_path);
- if(new_path[0] == '\"') {
- memmove(new_path, new_path + 1, len);
- len--;
- }
- if(len && (new_path[len - 1] == '\"')) {
- new_path[--len] = 0x0;
- }
- /* RFC6265 5.2.4 The Path Attribute */
- if(new_path[0] != '/') {
- /* Let cookie-path be the default-path. */
- strstore(&new_path, "/", 1);
- return new_path;
- }
- /* convert /hoge/ to /hoge */
- if(len && new_path[len - 1] == '/') {
- new_path[len - 1] = 0x0;
- }
- return new_path;
- }
- /*
- * Load cookies from all given cookie files (CURLOPT_COOKIEFILE).
- *
- * NOTE: OOM or cookie parsing failures are ignored.
- */
- void Curl_cookie_loadfiles(struct Curl_easy *data)
- {
- struct curl_slist *list = data->state.cookielist;
- if(list) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- while(list) {
- struct CookieInfo *newcookies =
- Curl_cookie_init(data, list->data, data->cookies,
- data->set.cookiesession);
- if(!newcookies)
- /*
- * Failure may be due to OOM or a bad cookie; both are ignored
- * but only the first should be
- */
- infof(data, "ignoring failed cookie_init for %s", list->data);
- else
- data->cookies = newcookies;
- list = list->next;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- }
- /*
- * strstore
- *
- * A thin wrapper around strdup which ensures that any memory allocated at
- * *str will be freed before the string allocated by strdup is stored there.
- * The intended usecase is repeated assignments to the same variable during
- * parsing in a last-wins scenario. The caller is responsible for checking
- * for OOM errors.
- */
- static void strstore(char **str, const char *newstr, size_t len)
- {
- DEBUGASSERT(newstr);
- DEBUGASSERT(str);
- free(*str);
- *str = Curl_memdup0(newstr, len);
- }
- /*
- * remove_expired
- *
- * Remove expired cookies from the hash by inspecting the expires timestamp on
- * each cookie in the hash, freeing and deleting any where the timestamp is in
- * the past. If the cookiejar has recorded the next timestamp at which one or
- * more cookies expire, then processing will exit early in case this timestamp
- * is in the future.
- */
- static void remove_expired(struct CookieInfo *cookies)
- {
- struct Cookie *co, *nx;
- curl_off_t now = (curl_off_t)time(NULL);
- unsigned int i;
- /*
- * If the earliest expiration timestamp in the jar is in the future we can
- * skip scanning the whole jar and instead exit early as there won't be any
- * cookies to evict. If we need to evict however, reset the next_expiration
- * counter in order to track the next one. In case the recorded first
- * expiration is the max offset, then perform the safe fallback of checking
- * all cookies.
- */
- if(now < cookies->next_expiration &&
- cookies->next_expiration != CURL_OFF_T_MAX)
- return;
- else
- cookies->next_expiration = CURL_OFF_T_MAX;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- struct Cookie *pv = NULL;
- co = cookies->cookies[i];
- while(co) {
- nx = co->next;
- if(co->expires && co->expires < now) {
- if(!pv) {
- cookies->cookies[i] = co->next;
- }
- else {
- pv->next = co->next;
- }
- cookies->numcookies--;
- freecookie(co);
- }
- else {
- /*
- * If this cookie has an expiration timestamp earlier than what we've
- * seen so far then record it for the next round of expirations.
- */
- if(co->expires && co->expires < cookies->next_expiration)
- cookies->next_expiration = co->expires;
- pv = co;
- }
- co = nx;
- }
- }
- }
- #ifndef USE_LIBPSL
- /* Make sure domain contains a dot or is localhost. */
- static bool bad_domain(const char *domain, size_t len)
- {
- if((len == 9) && strncasecompare(domain, "localhost", 9))
- return FALSE;
- else {
- /* there must be a dot present, but that dot must not be a trailing dot */
- char *dot = memchr(domain, '.', len);
- if(dot) {
- size_t i = dot - domain;
- if((len - i) > 1)
- /* the dot is not the last byte */
- return FALSE;
- }
- }
- return TRUE;
- }
- #endif
- /*
- RFC 6265 section 4.1.1 says a server should accept this range:
- cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
- But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
- fine. The prime reason for filtering out control bytes is that some HTTP
- servers return 400 for requests that contain such.
- */
- static int invalid_octets(const char *p)
- {
- /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
- static const char badoctets[] = {
- "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
- "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
- "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
- };
- size_t len;
- /* scan for all the octets that are *not* in cookie-octet */
- len = strcspn(p, badoctets);
- return (p[len] != '\0');
- }
- /*
- * Curl_cookie_add
- *
- * Add a single cookie line to the cookie keeping object. Be aware that
- * sometimes we get an IP-only host name, and that might also be a numerical
- * IPv6 address.
- *
- * Returns NULL on out of memory or invalid cookie. This is suboptimal,
- * as they should be treated separately.
- */
- struct Cookie *
- Curl_cookie_add(struct Curl_easy *data,
- struct CookieInfo *c,
- bool httpheader, /* TRUE if HTTP header-style line */
- bool noexpire, /* if TRUE, skip remove_expired() */
- const char *lineptr, /* first character of the line */
- const char *domain, /* default domain */
- const char *path, /* full path used when this cookie is set,
- used to get default path for the cookie
- unless set */
- bool secure) /* TRUE if connection is over secure origin */
- {
- struct Cookie *clist;
- struct Cookie *co;
- struct Cookie *lastc = NULL;
- struct Cookie *replace_co = NULL;
- struct Cookie *replace_clist = NULL;
- time_t now = time(NULL);
- bool replace_old = FALSE;
- bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
- size_t myhash;
- DEBUGASSERT(data);
- DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
- if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
- return NULL;
- /* First, alloc and init a new struct for it */
- co = calloc(1, sizeof(struct Cookie));
- if(!co)
- return NULL; /* bail out if we're this low on memory */
- if(httpheader) {
- /* This line was read off an HTTP-header */
- const char *ptr;
- size_t linelength = strlen(lineptr);
- if(linelength > MAX_COOKIE_LINE) {
- /* discard overly long lines at once */
- free(co);
- return NULL;
- }
- ptr = lineptr;
- do {
- size_t vlen;
- size_t nlen;
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- /* we have a <name>=<value> pair or a stand-alone word here */
- nlen = strcspn(ptr, ";\t\r\n=");
- if(nlen) {
- bool done = FALSE;
- bool sep = FALSE;
- const char *namep = ptr;
- const char *valuep;
- ptr += nlen;
- /* trim trailing spaces and tabs after name */
- while(nlen && ISBLANK(namep[nlen - 1]))
- nlen--;
- if(*ptr == '=') {
- vlen = strcspn(++ptr, ";\r\n");
- valuep = ptr;
- sep = TRUE;
- ptr = &valuep[vlen];
- /* Strip off trailing whitespace from the value */
- while(vlen && ISBLANK(valuep[vlen-1]))
- vlen--;
- /* Skip leading whitespace from the value */
- while(vlen && ISBLANK(*valuep)) {
- valuep++;
- vlen--;
- }
- /* Reject cookies with a TAB inside the value */
- if(memchr(valuep, '\t', vlen)) {
- freecookie(co);
- infof(data, "cookie contains TAB, dropping");
- return NULL;
- }
- }
- else {
- valuep = NULL;
- vlen = 0;
- }
- /*
- * Check for too long individual name or contents, or too long
- * combination of name + contents. Chrome and Firefox support 4095 or
- * 4096 bytes combo
- */
- if(nlen >= (MAX_NAME-1) || vlen >= (MAX_NAME-1) ||
- ((nlen + vlen) > MAX_NAME)) {
- freecookie(co);
- infof(data, "oversized cookie dropped, name/val %zu + %zu bytes",
- nlen, vlen);
- return NULL;
- }
- /*
- * Check if we have a reserved prefix set before anything else, as we
- * otherwise have to test for the prefix in both the cookie name and
- * "the rest". Prefixes must start with '__' and end with a '-', so
- * only test for names where that can possibly be true.
- */
- if(nlen >= 7 && namep[0] == '_' && namep[1] == '_') {
- if(strncasecompare("__Secure-", namep, 9))
- co->prefix |= COOKIE_PREFIX__SECURE;
- else if(strncasecompare("__Host-", namep, 7))
- co->prefix |= COOKIE_PREFIX__HOST;
- }
- /*
- * Use strstore() below to properly deal with received cookie
- * headers that have the same string property set more than once,
- * and then we use the last one.
- */
- if(!co->name) {
- /* The very first name/value pair is the actual cookie name */
- if(!sep) {
- /* Bad name/value pair. */
- badcookie = TRUE;
- break;
- }
- strstore(&co->name, namep, nlen);
- strstore(&co->value, valuep, vlen);
- done = TRUE;
- if(!co->name || !co->value) {
- badcookie = TRUE;
- break;
- }
- if(invalid_octets(co->value) || invalid_octets(co->name)) {
- infof(data, "invalid octets in name/value, cookie dropped");
- badcookie = TRUE;
- break;
- }
- }
- else if(!vlen) {
- /*
- * this was a "<name>=" with no content, and we must allow
- * 'secure' and 'httponly' specified this weirdly
- */
- done = TRUE;
- /*
- * secure cookies are only allowed to be set when the connection is
- * using a secure protocol, or when the cookie is being set by
- * reading from file
- */
- if((nlen == 6) && strncasecompare("secure", namep, 6)) {
- if(secure || !c->running) {
- co->secure = TRUE;
- }
- else {
- badcookie = TRUE;
- break;
- }
- }
- else if((nlen == 8) && strncasecompare("httponly", namep, 8))
- co->httponly = TRUE;
- else if(sep)
- /* there was a '=' so we're not done parsing this field */
- done = FALSE;
- }
- if(done)
- ;
- else if((nlen == 4) && strncasecompare("path", namep, 4)) {
- strstore(&co->path, valuep, vlen);
- if(!co->path) {
- badcookie = TRUE; /* out of memory bad */
- break;
- }
- free(co->spath); /* if this is set again */
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath) {
- badcookie = TRUE; /* out of memory bad */
- break;
- }
- }
- else if((nlen == 6) &&
- strncasecompare("domain", namep, 6) && vlen) {
- bool is_ip;
- /*
- * Now, we make sure that our host is within the given domain, or
- * the given domain is not valid and thus cannot be set.
- */
- if('.' == valuep[0]) {
- valuep++; /* ignore preceding dot */
- vlen--;
- }
- #ifndef USE_LIBPSL
- /*
- * Without PSL we don't know when the incoming cookie is set on a
- * TLD or otherwise "protected" suffix. To reduce risk, we require a
- * dot OR the exact host name being "localhost".
- */
- if(bad_domain(valuep, vlen))
- domain = ":";
- #endif
- is_ip = Curl_host_is_ipnum(domain ? domain : valuep);
- if(!domain
- || (is_ip && !strncmp(valuep, domain, vlen) &&
- (vlen == strlen(domain)))
- || (!is_ip && cookie_tailmatch(valuep, vlen, domain))) {
- strstore(&co->domain, valuep, vlen);
- if(!co->domain) {
- badcookie = TRUE;
- break;
- }
- if(!is_ip)
- co->tailmatch = TRUE; /* we always do that if the domain name was
- given */
- }
- else {
- /*
- * We did not get a tailmatch and then the attempted set domain is
- * not a domain to which the current host belongs. Mark as bad.
- */
- badcookie = TRUE;
- infof(data, "skipped cookie with bad tailmatch domain: %s",
- valuep);
- }
- }
- else if((nlen == 7) && strncasecompare("version", namep, 7)) {
- /* just ignore */
- }
- else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
- /*
- * Defined in RFC2109:
- *
- * Optional. The Max-Age attribute defines the lifetime of the
- * cookie, in seconds. The delta-seconds value is a decimal non-
- * negative integer. After delta-seconds seconds elapse, the
- * client should discard the cookie. A value of zero means the
- * cookie should be discarded immediately.
- */
- CURLofft offt;
- const char *maxage = valuep;
- offt = curlx_strtoofft((*maxage == '\"')?
- &maxage[1]:&maxage[0], NULL, 10,
- &co->expires);
- switch(offt) {
- case CURL_OFFT_FLOW:
- /* overflow, used max value */
- co->expires = CURL_OFF_T_MAX;
- break;
- case CURL_OFFT_INVAL:
- /* negative or otherwise bad, expire */
- co->expires = 1;
- break;
- case CURL_OFFT_OK:
- if(!co->expires)
- /* already expired */
- co->expires = 1;
- else if(CURL_OFF_T_MAX - now < co->expires)
- /* would overflow */
- co->expires = CURL_OFF_T_MAX;
- else
- co->expires += now;
- break;
- }
- }
- else if((nlen == 7) && strncasecompare("expires", namep, 7)) {
- char date[128];
- if(!co->expires && (vlen < sizeof(date))) {
- /* copy the date so that it can be null terminated */
- memcpy(date, valuep, vlen);
- date[vlen] = 0;
- /*
- * Let max-age have priority.
- *
- * If the date cannot get parsed for whatever reason, the cookie
- * will be treated as a session cookie
- */
- co->expires = Curl_getdate_capped(date);
- /*
- * Session cookies have expires set to 0 so if we get that back
- * from the date parser let's add a second to make it a
- * non-session cookie
- */
- if(co->expires == 0)
- co->expires = 1;
- else if(co->expires < 0)
- co->expires = 0;
- }
- }
- /*
- * Else, this is the second (or more) name we don't know about!
- */
- }
- else {
- /* this is an "illegal" <what>=<this> pair */
- }
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- if(*ptr == ';')
- ptr++;
- else
- break;
- } while(1);
- if(!badcookie && !co->domain) {
- if(domain) {
- /* no domain was given in the header line, set the default */
- co->domain = strdup(domain);
- if(!co->domain)
- badcookie = TRUE;
- }
- }
- if(!badcookie && !co->path && path) {
- /*
- * No path was given in the header line, set the default. Note that the
- * passed-in path to this function MAY have a '?' and following part that
- * MUST NOT be stored as part of the path.
- */
- char *queryp = strchr(path, '?');
- /*
- * queryp is where the interesting part of the path ends, so now we
- * want to the find the last
- */
- char *endslash;
- if(!queryp)
- endslash = strrchr(path, '/');
- else
- endslash = memrchr(path, '/', (queryp - path));
- if(endslash) {
- size_t pathlen = (endslash-path + 1); /* include end slash */
- co->path = Curl_memdup0(path, pathlen);
- if(co->path) {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath)
- badcookie = TRUE; /* out of memory bad */
- }
- else
- badcookie = TRUE;
- }
- }
- /*
- * If we didn't get a cookie name, or a bad one, the this is an illegal
- * line so bail out.
- */
- if(badcookie || !co->name) {
- freecookie(co);
- return NULL;
- }
- data->req.setcookies++;
- }
- else {
- /*
- * This line is NOT an HTTP header style line, we do offer support for
- * reading the odd netscape cookies-file format here
- */
- char *ptr;
- char *firstptr;
- char *tok_buf = NULL;
- int fields;
- /*
- * IE introduced HTTP-only cookies to prevent XSS attacks. Cookies marked
- * with httpOnly after the domain name are not accessible from javascripts,
- * but since curl does not operate at javascript level, we include them
- * anyway. In Firefox's cookie files, these lines are preceded with
- * #HttpOnly_ and then everything is as usual, so we skip 10 characters of
- * the line..
- */
- if(strncmp(lineptr, "#HttpOnly_", 10) == 0) {
- lineptr += 10;
- co->httponly = TRUE;
- }
- if(lineptr[0]=='#') {
- /* don't even try the comments */
- free(co);
- return NULL;
- }
- /* strip off the possible end-of-line characters */
- ptr = strchr(lineptr, '\r');
- if(ptr)
- *ptr = 0; /* clear it */
- ptr = strchr(lineptr, '\n');
- if(ptr)
- *ptr = 0; /* clear it */
- firstptr = strtok_r((char *)lineptr, "\t", &tok_buf); /* tokenize on TAB */
- /*
- * Now loop through the fields and init the struct we already have
- * allocated
- */
- fields = 0;
- for(ptr = firstptr; ptr && !badcookie;
- ptr = strtok_r(NULL, "\t", &tok_buf), fields++) {
- switch(fields) {
- case 0:
- if(ptr[0]=='.') /* skip preceding dots */
- ptr++;
- co->domain = strdup(ptr);
- if(!co->domain)
- badcookie = TRUE;
- break;
- case 1:
- /*
- * flag: A TRUE/FALSE value indicating if all machines within a given
- * domain can access the variable. Set TRUE when the cookie says
- * .domain.com and to false when the domain is complete www.domain.com
- */
- co->tailmatch = strcasecompare(ptr, "TRUE")?TRUE:FALSE;
- break;
- case 2:
- /* The file format allows the path field to remain not filled in */
- if(strcmp("TRUE", ptr) && strcmp("FALSE", ptr)) {
- /* only if the path doesn't look like a boolean option! */
- co->path = strdup(ptr);
- if(!co->path)
- badcookie = TRUE;
- else {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath) {
- badcookie = TRUE; /* out of memory bad */
- }
- }
- break;
- }
- /* this doesn't look like a path, make one up! */
- co->path = strdup("/");
- if(!co->path)
- badcookie = TRUE;
- co->spath = strdup("/");
- if(!co->spath)
- badcookie = TRUE;
- fields++; /* add a field and fall down to secure */
- FALLTHROUGH();
- case 3:
- co->secure = FALSE;
- if(strcasecompare(ptr, "TRUE")) {
- if(secure || c->running)
- co->secure = TRUE;
- else
- badcookie = TRUE;
- }
- break;
- case 4:
- if(curlx_strtoofft(ptr, NULL, 10, &co->expires))
- badcookie = TRUE;
- break;
- case 5:
- co->name = strdup(ptr);
- if(!co->name)
- badcookie = TRUE;
- else {
- /* For Netscape file format cookies we check prefix on the name */
- if(strncasecompare("__Secure-", co->name, 9))
- co->prefix |= COOKIE_PREFIX__SECURE;
- else if(strncasecompare("__Host-", co->name, 7))
- co->prefix |= COOKIE_PREFIX__HOST;
- }
- break;
- case 6:
- co->value = strdup(ptr);
- if(!co->value)
- badcookie = TRUE;
- break;
- }
- }
- if(6 == fields) {
- /* we got a cookie with blank contents, fix it */
- co->value = strdup("");
- if(!co->value)
- badcookie = TRUE;
- else
- fields++;
- }
- if(!badcookie && (7 != fields))
- /* we did not find the sufficient number of fields */
- badcookie = TRUE;
- if(badcookie) {
- freecookie(co);
- return NULL;
- }
- }
- if(co->prefix & COOKIE_PREFIX__SECURE) {
- /* The __Secure- prefix only requires that the cookie be set secure */
- if(!co->secure) {
- freecookie(co);
- return NULL;
- }
- }
- if(co->prefix & COOKIE_PREFIX__HOST) {
- /*
- * The __Host- prefix requires the cookie to be secure, have a "/" path
- * and not have a domain set.
- */
- if(co->secure && co->path && strcmp(co->path, "/") == 0 && !co->tailmatch)
- ;
- else {
- freecookie(co);
- return NULL;
- }
- }
- if(!c->running && /* read from a file */
- c->newsession && /* clean session cookies */
- !co->expires) { /* this is a session cookie since it doesn't expire! */
- freecookie(co);
- return NULL;
- }
- co->livecookie = c->running;
- co->creationtime = ++c->lastct;
- /*
- * Now we have parsed the incoming line, we must now check if this supersedes
- * an already existing cookie, which it may if the previous have the same
- * domain and path as this.
- */
- /* at first, remove expired cookies */
- if(!noexpire)
- remove_expired(c);
- #ifdef USE_LIBPSL
- /*
- * Check if the domain is a Public Suffix and if yes, ignore the cookie. We
- * must also check that the data handle isn't NULL since the psl code will
- * dereference it.
- */
- if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
- bool acceptable = FALSE;
- char lcase[256];
- char lcookie[256];
- size_t dlen = strlen(domain);
- size_t clen = strlen(co->domain);
- if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- if(psl) {
- /* the PSL check requires lowercase domain name and pattern */
- Curl_strntolower(lcase, domain, dlen + 1);
- Curl_strntolower(lcookie, co->domain, clen + 1);
- acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
- Curl_psl_release(data);
- }
- else
- infof(data, "libpsl problem, rejecting cookie for satety");
- }
- if(!acceptable) {
- infof(data, "cookie '%s' dropped, domain '%s' must not "
- "set cookies for '%s'", co->name, domain, co->domain);
- freecookie(co);
- return NULL;
- }
- }
- #endif
- /* A non-secure cookie may not overlay an existing secure cookie. */
- myhash = cookiehash(co->domain);
- clist = c->cookies[myhash];
- while(clist) {
- if(strcasecompare(clist->name, co->name)) {
- /* the names are identical */
- bool matching_domains = FALSE;
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain))
- /* The domains are identical */
- matching_domains = TRUE;
- }
- else if(!clist->domain && !co->domain)
- matching_domains = TRUE;
- if(matching_domains && /* the domains were identical */
- clist->spath && co->spath && /* both have paths */
- clist->secure && !co->secure && !secure) {
- size_t cllen;
- const char *sep;
- /*
- * A non-secure cookie may not overlay an existing secure cookie.
- * For an existing cookie "a" with path "/login", refuse a new
- * cookie "a" with for example path "/login/en", while the path
- * "/loginhelper" is ok.
- */
- sep = strchr(clist->spath + 1, '/');
- if(sep)
- cllen = sep - clist->spath;
- else
- cllen = strlen(clist->spath);
- if(strncasecompare(clist->spath, co->spath, cllen)) {
- infof(data, "cookie '%s' for domain '%s' dropped, would "
- "overlay an existing cookie", co->name, co->domain);
- freecookie(co);
- return NULL;
- }
- }
- }
- if(!replace_co && strcasecompare(clist->name, co->name)) {
- /* the names are identical */
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain) &&
- (clist->tailmatch == co->tailmatch))
- /* The domains are identical */
- replace_old = TRUE;
- }
- else if(!clist->domain && !co->domain)
- replace_old = TRUE;
- if(replace_old) {
- /* the domains were identical */
- if(clist->spath && co->spath &&
- !strcasecompare(clist->spath, co->spath))
- replace_old = FALSE;
- else if(!clist->spath != !co->spath)
- replace_old = FALSE;
- }
- if(replace_old && !co->livecookie && clist->livecookie) {
- /*
- * Both cookies matched fine, except that the already present cookie is
- * "live", which means it was set from a header, while the new one was
- * read from a file and thus isn't "live". "live" cookies are preferred
- * so the new cookie is freed.
- */
- freecookie(co);
- return NULL;
- }
- if(replace_old) {
- replace_co = co;
- replace_clist = clist;
- }
- }
- lastc = clist;
- clist = clist->next;
- }
- if(replace_co) {
- co = replace_co;
- clist = replace_clist;
- co->next = clist->next; /* get the next-pointer first */
- /* when replacing, creationtime is kept from old */
- co->creationtime = clist->creationtime;
- /* then free all the old pointers */
- free(clist->name);
- free(clist->value);
- free(clist->domain);
- free(clist->path);
- free(clist->spath);
- *clist = *co; /* then store all the new data */
- free(co); /* free the newly allocated memory */
- co = clist;
- }
- if(c->running)
- /* Only show this when NOT reading the cookies from a file */
- infof(data, "%s cookie %s=\"%s\" for domain %s, path %s, "
- "expire %" CURL_FORMAT_CURL_OFF_T,
- replace_old?"Replaced":"Added", co->name, co->value,
- co->domain, co->path, co->expires);
- if(!replace_old) {
- /* then make the last item point on this new one */
- if(lastc)
- lastc->next = co;
- else
- c->cookies[myhash] = co;
- c->numcookies++; /* one more cookie in the jar */
- }
- /*
- * Now that we've added a new cookie to the jar, update the expiration
- * tracker in case it is the next one to expire.
- */
- if(co->expires && (co->expires < c->next_expiration))
- c->next_expiration = co->expires;
- return co;
- }
- /*
- * Curl_cookie_init()
- *
- * Inits a cookie struct to read data from a local file. This is always
- * called before any cookies are set. File may be NULL in which case only the
- * struct is initialized. Is file is "-" then STDIN is read.
- *
- * If 'newsession' is TRUE, discard all "session cookies" on read from file.
- *
- * Note that 'data' might be called as NULL pointer. If data is NULL, 'file'
- * will be ignored.
- *
- * Returns NULL on out of memory. Invalid cookies are ignored.
- */
- struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
- const char *file,
- struct CookieInfo *inc,
- bool newsession)
- {
- struct CookieInfo *c;
- FILE *handle = NULL;
- if(!inc) {
- /* we didn't get a struct, create one */
- c = calloc(1, sizeof(struct CookieInfo));
- if(!c)
- return NULL; /* failed to get memory */
- /*
- * Initialize the next_expiration time to signal that we don't have enough
- * information yet.
- */
- c->next_expiration = CURL_OFF_T_MAX;
- }
- else {
- /* we got an already existing one, use that */
- c = inc;
- }
- c->newsession = newsession; /* new session? */
- if(data) {
- FILE *fp = NULL;
- if(file && *file) {
- if(!strcmp(file, "-"))
- fp = stdin;
- else {
- fp = fopen(file, "rb");
- if(!fp)
- infof(data, "WARNING: failed to open cookie file \"%s\"", file);
- else
- handle = fp;
- }
- }
- c->running = FALSE; /* this is not running, this is init */
- if(fp) {
- struct dynbuf buf;
- Curl_dyn_init(&buf, MAX_COOKIE_LINE);
- while(Curl_get_line(&buf, fp)) {
- char *lineptr = Curl_dyn_ptr(&buf);
- bool headerline = FALSE;
- if(checkprefix("Set-Cookie:", lineptr)) {
- /* This is a cookie line, get it! */
- lineptr += 11;
- headerline = TRUE;
- while(*lineptr && ISBLANK(*lineptr))
- lineptr++;
- }
- Curl_cookie_add(data, c, headerline, TRUE, lineptr, NULL, NULL, TRUE);
- }
- Curl_dyn_free(&buf); /* free the line buffer */
- /*
- * Remove expired cookies from the hash. We must make sure to run this
- * after reading the file, and not on every cookie.
- */
- remove_expired(c);
- if(handle)
- fclose(handle);
- }
- data->state.cookie_engine = TRUE;
- }
- c->running = TRUE; /* now, we're running */
- return c;
- }
- /*
- * cookie_sort
- *
- * Helper function to sort cookies such that the longest path gets before the
- * shorter path. Path, domain and name lengths are considered in that order,
- * with the creationtime as the tiebreaker. The creationtime is guaranteed to
- * be unique per cookie, so we know we will get an ordering at that point.
- */
- static int cookie_sort(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- size_t l1, l2;
- /* 1 - compare cookie path lengths */
- l1 = c1->path ? strlen(c1->path) : 0;
- l2 = c2->path ? strlen(c2->path) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 2 - compare cookie domain lengths */
- l1 = c1->domain ? strlen(c1->domain) : 0;
- l2 = c2->domain ? strlen(c2->domain) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 3 - compare cookie name lengths */
- l1 = c1->name ? strlen(c1->name) : 0;
- l2 = c2->name ? strlen(c2->name) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1;
- /* 4 - compare cookie creation time */
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- /*
- * cookie_sort_ct
- *
- * Helper function to sort cookies according to creation time.
- */
- static int cookie_sort_ct(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- #define CLONE(field) \
- do { \
- if(src->field) { \
- d->field = strdup(src->field); \
- if(!d->field) \
- goto fail; \
- } \
- } while(0)
- static struct Cookie *dup_cookie(struct Cookie *src)
- {
- struct Cookie *d = calloc(1, sizeof(struct Cookie));
- if(d) {
- CLONE(domain);
- CLONE(path);
- CLONE(spath);
- CLONE(name);
- CLONE(value);
- d->expires = src->expires;
- d->tailmatch = src->tailmatch;
- d->secure = src->secure;
- d->livecookie = src->livecookie;
- d->httponly = src->httponly;
- d->creationtime = src->creationtime;
- }
- return d;
- fail:
- freecookie(d);
- return NULL;
- }
- /*
- * Curl_cookie_getlist
- *
- * For a given host and path, return a linked list of cookies that the client
- * should send to the server if used now. The secure boolean informs the cookie
- * if a secure connection is achieved or not.
- *
- * It shall only return cookies that haven't expired.
- */
- struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
- struct CookieInfo *c,
- const char *host, const char *path,
- bool secure)
- {
- struct Cookie *newco;
- struct Cookie *co;
- struct Cookie *mainco = NULL;
- size_t matches = 0;
- bool is_ip;
- const size_t myhash = cookiehash(host);
- if(!c || !c->cookies[myhash])
- return NULL; /* no cookie struct or no cookies in the struct */
- /* at first, remove expired cookies */
- remove_expired(c);
- /* check if host is an IP(v4|v6) address */
- is_ip = Curl_host_is_ipnum(host);
- co = c->cookies[myhash];
- while(co) {
- /* if the cookie requires we're secure we must only continue if we are! */
- if(co->secure?secure:TRUE) {
- /* now check if the domain is correct */
- if(!co->domain ||
- (co->tailmatch && !is_ip &&
- cookie_tailmatch(co->domain, strlen(co->domain), host)) ||
- ((!co->tailmatch || is_ip) && strcasecompare(host, co->domain)) ) {
- /*
- * the right part of the host matches the domain stuff in the
- * cookie data
- */
- /*
- * now check the left part of the path with the cookies path
- * requirement
- */
- if(!co->spath || pathmatch(co->spath, path) ) {
- /*
- * and now, we know this is a match and we should create an
- * entry for the return-linked-list
- */
- newco = dup_cookie(co);
- if(newco) {
- /* then modify our next */
- newco->next = mainco;
- /* point the main to us */
- mainco = newco;
- matches++;
- if(matches >= MAX_COOKIE_SEND_AMOUNT) {
- infof(data, "Included max number of cookies (%zu) in request!",
- matches);
- break;
- }
- }
- else
- goto fail;
- }
- }
- }
- co = co->next;
- }
- if(matches) {
- /*
- * Now we need to make sure that if there is a name appearing more than
- * once, the longest specified path version comes first. To make this
- * the swiftest way, we just sort them all based on path length.
- */
- struct Cookie **array;
- size_t i;
- /* alloc an array and store all cookie pointers */
- array = malloc(sizeof(struct Cookie *) * matches);
- if(!array)
- goto fail;
- co = mainco;
- for(i = 0; co; co = co->next)
- array[i++] = co;
- /* now sort the cookie pointers in path length order */
- qsort(array, matches, sizeof(struct Cookie *), cookie_sort);
- /* remake the linked list order according to the new order */
- mainco = array[0]; /* start here */
- for(i = 0; i<matches-1; i++)
- array[i]->next = array[i + 1];
- array[matches-1]->next = NULL; /* terminate the list */
- free(array); /* remove the temporary data again */
- }
- return mainco; /* return the new list */
- fail:
- /* failure, clear up the allocated chain and return NULL */
- Curl_cookie_freelist(mainco);
- return NULL;
- }
- /*
- * Curl_cookie_clearall
- *
- * Clear all existing cookies and reset the counter.
- */
- void Curl_cookie_clearall(struct CookieInfo *cookies)
- {
- if(cookies) {
- unsigned int i;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- Curl_cookie_freelist(cookies->cookies[i]);
- cookies->cookies[i] = NULL;
- }
- cookies->numcookies = 0;
- }
- }
- /*
- * Curl_cookie_freelist
- *
- * Free a list of cookies previously returned by Curl_cookie_getlist();
- */
- void Curl_cookie_freelist(struct Cookie *co)
- {
- struct Cookie *next;
- while(co) {
- next = co->next;
- freecookie(co);
- co = next;
- }
- }
- /*
- * Curl_cookie_clearsess
- *
- * Free all session cookies in the cookies list.
- */
- void Curl_cookie_clearsess(struct CookieInfo *cookies)
- {
- struct Cookie *first, *curr, *next, *prev = NULL;
- unsigned int i;
- if(!cookies)
- return;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- if(!cookies->cookies[i])
- continue;
- first = curr = prev = cookies->cookies[i];
- for(; curr; curr = next) {
- next = curr->next;
- if(!curr->expires) {
- if(first == curr)
- first = next;
- if(prev == curr)
- prev = next;
- else
- prev->next = next;
- freecookie(curr);
- cookies->numcookies--;
- }
- else
- prev = curr;
- }
- cookies->cookies[i] = first;
- }
- }
- /*
- * Curl_cookie_cleanup()
- *
- * Free a "cookie object" previous created with Curl_cookie_init().
- */
- void Curl_cookie_cleanup(struct CookieInfo *c)
- {
- if(c) {
- unsigned int i;
- for(i = 0; i < COOKIE_HASH_SIZE; i++)
- Curl_cookie_freelist(c->cookies[i]);
- free(c); /* free the base struct as well */
- }
- }
- /*
- * get_netscape_format()
- *
- * Formats a string for Netscape output file, w/o a newline at the end.
- * Function returns a char * to a formatted line. The caller is responsible
- * for freeing the returned pointer.
- */
- static char *get_netscape_format(const struct Cookie *co)
- {
- return aprintf(
- "%s" /* httponly preamble */
- "%s%s\t" /* domain */
- "%s\t" /* tailmatch */
- "%s\t" /* path */
- "%s\t" /* secure */
- "%" CURL_FORMAT_CURL_OFF_T "\t" /* expires */
- "%s\t" /* name */
- "%s", /* value */
- co->httponly?"#HttpOnly_":"",
- /*
- * Make sure all domains are prefixed with a dot if they allow
- * tailmatching. This is Mozilla-style.
- */
- (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
- co->domain?co->domain:"unknown",
- co->tailmatch?"TRUE":"FALSE",
- co->path?co->path:"/",
- co->secure?"TRUE":"FALSE",
- co->expires,
- co->name,
- co->value?co->value:"");
- }
- /*
- * cookie_output()
- *
- * Writes all internally known cookies to the specified file. Specify
- * "-" as file name to write to stdout.
- *
- * The function returns non-zero on write failure.
- */
- static CURLcode cookie_output(struct Curl_easy *data,
- struct CookieInfo *c, const char *filename)
- {
- struct Cookie *co;
- FILE *out = NULL;
- bool use_stdout = FALSE;
- char *tempstore = NULL;
- CURLcode error = CURLE_OK;
- if(!c)
- /* no cookie engine alive */
- return CURLE_OK;
- /* at first, remove expired cookies */
- remove_expired(c);
- if(!strcmp("-", filename)) {
- /* use stdout */
- out = stdout;
- use_stdout = TRUE;
- }
- else {
- error = Curl_fopen(data, filename, &out, &tempstore);
- if(error)
- goto error;
- }
- fputs("# Netscape HTTP Cookie File\n"
- "# https://curl.se/docs/http-cookies.html\n"
- "# This file was generated by libcurl! Edit at your own risk.\n\n",
- out);
- if(c->numcookies) {
- unsigned int i;
- size_t nvalid = 0;
- struct Cookie **array;
- array = calloc(1, sizeof(struct Cookie *) * c->numcookies);
- if(!array) {
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- /* only sort the cookies with a domain property */
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(co = c->cookies[i]; co; co = co->next) {
- if(!co->domain)
- continue;
- array[nvalid++] = co;
- }
- }
- qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
- for(i = 0; i < nvalid; i++) {
- char *format_ptr = get_netscape_format(array[i]);
- if(!format_ptr) {
- free(array);
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- fprintf(out, "%s\n", format_ptr);
- free(format_ptr);
- }
- free(array);
- }
- if(!use_stdout) {
- fclose(out);
- out = NULL;
- if(tempstore && Curl_rename(tempstore, filename)) {
- unlink(tempstore);
- error = CURLE_WRITE_ERROR;
- goto error;
- }
- }
- /*
- * If we reach here we have successfully written a cookie file so there is
- * no need to inspect the error, any error case should have jumped into the
- * error block below.
- */
- free(tempstore);
- return CURLE_OK;
- error:
- if(out && !use_stdout)
- fclose(out);
- free(tempstore);
- return error;
- }
- static struct curl_slist *cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list = NULL;
- struct curl_slist *beg;
- struct Cookie *c;
- char *line;
- unsigned int i;
- if(!data->cookies || (data->cookies->numcookies == 0))
- return NULL;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(c = data->cookies->cookies[i]; c; c = c->next) {
- if(!c->domain)
- continue;
- line = get_netscape_format(c);
- if(!line) {
- curl_slist_free_all(list);
- return NULL;
- }
- beg = Curl_slist_append_nodup(list, line);
- if(!beg) {
- free(line);
- curl_slist_free_all(list);
- return NULL;
- }
- list = beg;
- }
- }
- return list;
- }
- struct curl_slist *Curl_cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list;
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- list = cookie_list(data);
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- return list;
- }
- void Curl_flush_cookies(struct Curl_easy *data, bool cleanup)
- {
- CURLcode res;
- if(data->set.str[STRING_COOKIEJAR]) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- /* if we have a destination file for all the cookies to get dumped to */
- res = cookie_output(data, data->cookies, data->set.str[STRING_COOKIEJAR]);
- if(res)
- infof(data, "WARNING: failed to save cookies in %s: %s",
- data->set.str[STRING_COOKIEJAR], curl_easy_strerror(res));
- }
- else {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- }
- if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
- Curl_cookie_cleanup(data->cookies);
- data->cookies = NULL;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_COOKIES */
|