1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777 |
- /***************************************************************************
- * _ _ ____ _
- * Project ___| | | | _ \| |
- * / __| | | | |_) | |
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
- /***
- RECEIVING COOKIE INFORMATION
- ============================
- struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
- const char *file, struct CookieInfo *inc, bool newsession);
- Inits a cookie struct to store data in a local file. This is always
- called before any cookies are set.
- struct Cookie *Curl_cookie_add(struct Curl_easy *data,
- struct CookieInfo *c, bool httpheader, bool noexpire,
- char *lineptr, const char *domain, const char *path,
- bool secure);
- The 'lineptr' parameter is a full "Set-cookie:" line as
- received from a server.
- The function need to replace previously stored lines that this new
- line supersedes.
- It may remove lines that are expired.
- It should return an indication of success/error.
- SENDING COOKIE INFORMATION
- ==========================
- struct Cookies *Curl_cookie_getlist(struct CookieInfo *cookie,
- char *host, char *path, bool secure);
- For a given host and path, return a linked list of cookies that
- the client should send to the server if used now. The secure
- boolean informs the cookie if a secure connection is achieved or
- not.
- It shall only return cookies that have not expired.
- Example set of cookies:
- Set-cookie: PRODUCTINFO=webxpress; domain=.fidelity.com; path=/; secure
- Set-cookie: PERSONALIZE=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/ftgw; secure
- Set-cookie: FidHist=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidOrder=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: DisPend=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie: FidDis=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
- domain=.fidelity.com; path=/; secure
- Set-cookie:
- Session_Key@6791a9e0-901a-11d0-a1c8-9b012c88aa77=none;expires=Monday,
- 13-Jun-1988 03:04:55 GMT; domain=.fidelity.com; path=/; secure
- ****/
- #include "curl_setup.h"
- #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_COOKIES)
- #include "urldata.h"
- #include "cookie.h"
- #include "psl.h"
- #include "strtok.h"
- #include "sendf.h"
- #include "slist.h"
- #include "share.h"
- #include "strtoofft.h"
- #include "strcase.h"
- #include "curl_get_line.h"
- #include "curl_memrchr.h"
- #include "parsedate.h"
- #include "rename.h"
- #include "fopen.h"
- #include "strdup.h"
- /* The last 3 #include files should be in this order */
- #include "curl_printf.h"
- #include "curl_memory.h"
- #include "memdebug.h"
- static void strstore(char **str, const char *newstr, size_t len);
- static void freecookie(struct Cookie *co)
- {
- free(co->domain);
- free(co->path);
- free(co->spath);
- free(co->name);
- free(co->value);
- free(co);
- }
- static bool cookie_tailmatch(const char *cookie_domain,
- size_t cookie_domain_len,
- const char *hostname)
- {
- size_t hostname_len = strlen(hostname);
- if(hostname_len < cookie_domain_len)
- return FALSE;
- if(!strncasecompare(cookie_domain,
- hostname + hostname_len-cookie_domain_len,
- cookie_domain_len))
- return FALSE;
- /*
- * A lead char of cookie_domain is not '.'.
- * RFC6265 4.1.2.3. The Domain Attribute says:
- * For example, if the value of the Domain attribute is
- * "example.com", the user agent will include the cookie in the Cookie
- * header when making HTTP requests to example.com, www.example.com, and
- * www.corp.example.com.
- */
- if(hostname_len == cookie_domain_len)
- return TRUE;
- if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
- return TRUE;
- return FALSE;
- }
- /*
- * matching cookie path and URL path
- * RFC6265 5.1.4 Paths and Path-Match
- */
- static bool pathmatch(const char *cookie_path, const char *request_uri)
- {
- size_t cookie_path_len;
- size_t uri_path_len;
- char *uri_path = NULL;
- char *pos;
- bool ret = FALSE;
- /* cookie_path must not have last '/' separator. ex: /sample */
- cookie_path_len = strlen(cookie_path);
- if(1 == cookie_path_len) {
- /* cookie_path must be '/' */
- return TRUE;
- }
- uri_path = strdup(request_uri);
- if(!uri_path)
- return FALSE;
- pos = strchr(uri_path, '?');
- if(pos)
- *pos = 0x0;
- /* #-fragments are already cut off! */
- if(0 == strlen(uri_path) || uri_path[0] != '/') {
- strstore(&uri_path, "/", 1);
- if(!uri_path)
- return FALSE;
- }
- /*
- * here, RFC6265 5.1.4 says
- * 4. Output the characters of the uri-path from the first character up
- * to, but not including, the right-most %x2F ("/").
- * but URL path /hoge?fuga=xxx means /hoge/index.cgi?fuga=xxx in some site
- * without redirect.
- * Ignore this algorithm because /hoge is uri path for this case
- * (uri path is not /).
- */
- uri_path_len = strlen(uri_path);
- if(uri_path_len < cookie_path_len) {
- ret = FALSE;
- goto pathmatched;
- }
- /* not using checkprefix() because matching should be case-sensitive */
- if(strncmp(cookie_path, uri_path, cookie_path_len)) {
- ret = FALSE;
- goto pathmatched;
- }
- /* The cookie-path and the uri-path are identical. */
- if(cookie_path_len == uri_path_len) {
- ret = TRUE;
- goto pathmatched;
- }
- /* here, cookie_path_len < uri_path_len */
- if(uri_path[cookie_path_len] == '/') {
- ret = TRUE;
- goto pathmatched;
- }
- ret = FALSE;
- pathmatched:
- free(uri_path);
- return ret;
- }
- /*
- * Return the top-level domain, for optimal hashing.
- */
- static const char *get_top_domain(const char * const domain, size_t *outlen)
- {
- size_t len = 0;
- const char *first = NULL, *last;
- if(domain) {
- len = strlen(domain);
- last = memrchr(domain, '.', len);
- if(last) {
- first = memrchr(domain, '.', (last - domain));
- if(first)
- len -= (++first - domain);
- }
- }
- if(outlen)
- *outlen = len;
- return first ? first : domain;
- }
- /* Avoid C1001, an "internal error" with MSVC14 */
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", off)
- #endif
- /*
- * A case-insensitive hash for the cookie domains.
- */
- static size_t cookie_hash_domain(const char *domain, const size_t len)
- {
- const char *end = domain + len;
- size_t h = 5381;
- while(domain < end) {
- size_t j = (size_t)Curl_raw_toupper(*domain++);
- h += h << 5;
- h ^= j;
- }
- return (h % COOKIE_HASH_SIZE);
- }
- #if defined(_MSC_VER) && (_MSC_VER == 1900)
- #pragma optimize("", on)
- #endif
- /*
- * Hash this domain.
- */
- static size_t cookiehash(const char * const domain)
- {
- const char *top;
- size_t len;
- if(!domain || Curl_host_is_ipnum(domain))
- return 0;
- top = get_top_domain(domain, &len);
- return cookie_hash_domain(top, len);
- }
- /*
- * cookie path sanitize
- */
- static char *sanitize_cookie_path(const char *cookie_path)
- {
- size_t len;
- char *new_path = strdup(cookie_path);
- if(!new_path)
- return NULL;
- /* some stupid site sends path attribute with '"'. */
- len = strlen(new_path);
- if(new_path[0] == '\"') {
- memmove(new_path, new_path + 1, len);
- len--;
- }
- if(len && (new_path[len - 1] == '\"')) {
- new_path[--len] = 0x0;
- }
- /* RFC6265 5.2.4 The Path Attribute */
- if(new_path[0] != '/') {
- /* Let cookie-path be the default-path. */
- strstore(&new_path, "/", 1);
- return new_path;
- }
- /* convert /hoge/ to /hoge */
- if(len && new_path[len - 1] == '/') {
- new_path[len - 1] = 0x0;
- }
- return new_path;
- }
- /*
- * Load cookies from all given cookie files (CURLOPT_COOKIEFILE).
- *
- * NOTE: OOM or cookie parsing failures are ignored.
- */
- void Curl_cookie_loadfiles(struct Curl_easy *data)
- {
- struct curl_slist *list = data->state.cookielist;
- if(list) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- while(list) {
- struct CookieInfo *newcookies =
- Curl_cookie_init(data, list->data, data->cookies,
- data->set.cookiesession);
- if(!newcookies)
- /*
- * Failure may be due to OOM or a bad cookie; both are ignored
- * but only the first should be
- */
- infof(data, "ignoring failed cookie_init for %s", list->data);
- else
- data->cookies = newcookies;
- list = list->next;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- }
- /*
- * strstore
- *
- * A thin wrapper around strdup which ensures that any memory allocated at
- * *str will be freed before the string allocated by strdup is stored there.
- * The intended usecase is repeated assignments to the same variable during
- * parsing in a last-wins scenario. The caller is responsible for checking
- * for OOM errors.
- */
- static void strstore(char **str, const char *newstr, size_t len)
- {
- DEBUGASSERT(newstr);
- DEBUGASSERT(str);
- free(*str);
- *str = Curl_memdup0(newstr, len);
- }
- /*
- * remove_expired
- *
- * Remove expired cookies from the hash by inspecting the expires timestamp on
- * each cookie in the hash, freeing and deleting any where the timestamp is in
- * the past. If the cookiejar has recorded the next timestamp at which one or
- * more cookies expire, then processing will exit early in case this timestamp
- * is in the future.
- */
- static void remove_expired(struct CookieInfo *cookies)
- {
- struct Cookie *co, *nx;
- curl_off_t now = (curl_off_t)time(NULL);
- unsigned int i;
- /*
- * If the earliest expiration timestamp in the jar is in the future we can
- * skip scanning the whole jar and instead exit early as there will not be
- * any cookies to evict. If we need to evict however, reset the
- * next_expiration counter in order to track the next one. In case the
- * recorded first expiration is the max offset, then perform the safe
- * fallback of checking all cookies.
- */
- if(now < cookies->next_expiration &&
- cookies->next_expiration != CURL_OFF_T_MAX)
- return;
- else
- cookies->next_expiration = CURL_OFF_T_MAX;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- struct Cookie *pv = NULL;
- co = cookies->cookies[i];
- while(co) {
- nx = co->next;
- if(co->expires && co->expires < now) {
- if(!pv) {
- cookies->cookies[i] = co->next;
- }
- else {
- pv->next = co->next;
- }
- cookies->numcookies--;
- freecookie(co);
- }
- else {
- /*
- * If this cookie has an expiration timestamp earlier than what we have
- * seen so far then record it for the next round of expirations.
- */
- if(co->expires && co->expires < cookies->next_expiration)
- cookies->next_expiration = co->expires;
- pv = co;
- }
- co = nx;
- }
- }
- }
- #ifndef USE_LIBPSL
- /* Make sure domain contains a dot or is localhost. */
- static bool bad_domain(const char *domain, size_t len)
- {
- if((len == 9) && strncasecompare(domain, "localhost", 9))
- return FALSE;
- else {
- /* there must be a dot present, but that dot must not be a trailing dot */
- char *dot = memchr(domain, '.', len);
- if(dot) {
- size_t i = dot - domain;
- if((len - i) > 1)
- /* the dot is not the last byte */
- return FALSE;
- }
- }
- return TRUE;
- }
- #endif
- /*
- RFC 6265 section 4.1.1 says a server should accept this range:
- cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
- But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
- fine. The prime reason for filtering out control bytes is that some HTTP
- servers return 400 for requests that contain such.
- */
- static int invalid_octets(const char *p)
- {
- /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
- static const char badoctets[] = {
- "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
- "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
- "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
- };
- size_t len;
- /* scan for all the octets that are *not* in cookie-octet */
- len = strcspn(p, badoctets);
- return (p[len] != '\0');
- }
- /*
- * Curl_cookie_add
- *
- * Add a single cookie line to the cookie keeping object. Be aware that
- * sometimes we get an IP-only hostname, and that might also be a numerical
- * IPv6 address.
- *
- * Returns NULL on out of memory or invalid cookie. This is suboptimal,
- * as they should be treated separately.
- */
- struct Cookie *
- Curl_cookie_add(struct Curl_easy *data,
- struct CookieInfo *c,
- bool httpheader, /* TRUE if HTTP header-style line */
- bool noexpire, /* if TRUE, skip remove_expired() */
- const char *lineptr, /* first character of the line */
- const char *domain, /* default domain */
- const char *path, /* full path used when this cookie is set,
- used to get default path for the cookie
- unless set */
- bool secure) /* TRUE if connection is over secure origin */
- {
- struct Cookie *clist;
- struct Cookie *co;
- struct Cookie *lastc = NULL;
- struct Cookie *replace_co = NULL;
- struct Cookie *replace_clist = NULL;
- time_t now = time(NULL);
- bool replace_old = FALSE;
- bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
- size_t myhash;
- DEBUGASSERT(data);
- DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
- if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
- return NULL;
- /* First, alloc and init a new struct for it */
- co = calloc(1, sizeof(struct Cookie));
- if(!co)
- return NULL; /* bail out if we are this low on memory */
- if(httpheader) {
- /* This line was read off an HTTP-header */
- const char *ptr;
- size_t linelength = strlen(lineptr);
- if(linelength > MAX_COOKIE_LINE) {
- /* discard overly long lines at once */
- free(co);
- return NULL;
- }
- ptr = lineptr;
- do {
- size_t vlen;
- size_t nlen;
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- /* we have a <name>=<value> pair or a stand-alone word here */
- nlen = strcspn(ptr, ";\t\r\n=");
- if(nlen) {
- bool done = FALSE;
- bool sep = FALSE;
- const char *namep = ptr;
- const char *valuep;
- ptr += nlen;
- /* trim trailing spaces and tabs after name */
- while(nlen && ISBLANK(namep[nlen - 1]))
- nlen--;
- if(*ptr == '=') {
- vlen = strcspn(++ptr, ";\r\n");
- valuep = ptr;
- sep = TRUE;
- ptr = &valuep[vlen];
- /* Strip off trailing whitespace from the value */
- while(vlen && ISBLANK(valuep[vlen-1]))
- vlen--;
- /* Skip leading whitespace from the value */
- while(vlen && ISBLANK(*valuep)) {
- valuep++;
- vlen--;
- }
- /* Reject cookies with a TAB inside the value */
- if(memchr(valuep, '\t', vlen)) {
- freecookie(co);
- infof(data, "cookie contains TAB, dropping");
- return NULL;
- }
- }
- else {
- valuep = NULL;
- vlen = 0;
- }
- /*
- * Check for too long individual name or contents, or too long
- * combination of name + contents. Chrome and Firefox support 4095 or
- * 4096 bytes combo
- */
- if(nlen >= (MAX_NAME-1) || vlen >= (MAX_NAME-1) ||
- ((nlen + vlen) > MAX_NAME)) {
- freecookie(co);
- infof(data, "oversized cookie dropped, name/val %zu + %zu bytes",
- nlen, vlen);
- return NULL;
- }
- /*
- * Check if we have a reserved prefix set before anything else, as we
- * otherwise have to test for the prefix in both the cookie name and
- * "the rest". Prefixes must start with '__' and end with a '-', so
- * only test for names where that can possibly be true.
- */
- if(nlen >= 7 && namep[0] == '_' && namep[1] == '_') {
- if(strncasecompare("__Secure-", namep, 9))
- co->prefix |= COOKIE_PREFIX__SECURE;
- else if(strncasecompare("__Host-", namep, 7))
- co->prefix |= COOKIE_PREFIX__HOST;
- }
- /*
- * Use strstore() below to properly deal with received cookie
- * headers that have the same string property set more than once,
- * and then we use the last one.
- */
- if(!co->name) {
- /* The very first name/value pair is the actual cookie name */
- if(!sep) {
- /* Bad name/value pair. */
- badcookie = TRUE;
- break;
- }
- strstore(&co->name, namep, nlen);
- strstore(&co->value, valuep, vlen);
- done = TRUE;
- if(!co->name || !co->value) {
- badcookie = TRUE;
- break;
- }
- if(invalid_octets(co->value) || invalid_octets(co->name)) {
- infof(data, "invalid octets in name/value, cookie dropped");
- badcookie = TRUE;
- break;
- }
- }
- else if(!vlen) {
- /*
- * this was a "<name>=" with no content, and we must allow
- * 'secure' and 'httponly' specified this weirdly
- */
- done = TRUE;
- /*
- * secure cookies are only allowed to be set when the connection is
- * using a secure protocol, or when the cookie is being set by
- * reading from file
- */
- if((nlen == 6) && strncasecompare("secure", namep, 6)) {
- if(secure || !c->running) {
- co->secure = TRUE;
- }
- else {
- badcookie = TRUE;
- break;
- }
- }
- else if((nlen == 8) && strncasecompare("httponly", namep, 8))
- co->httponly = TRUE;
- else if(sep)
- /* there was a '=' so we are not done parsing this field */
- done = FALSE;
- }
- if(done)
- ;
- else if((nlen == 4) && strncasecompare("path", namep, 4)) {
- strstore(&co->path, valuep, vlen);
- if(!co->path) {
- badcookie = TRUE; /* out of memory bad */
- break;
- }
- free(co->spath); /* if this is set again */
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath) {
- badcookie = TRUE; /* out of memory bad */
- break;
- }
- }
- else if((nlen == 6) &&
- strncasecompare("domain", namep, 6) && vlen) {
- bool is_ip;
- /*
- * Now, we make sure that our host is within the given domain, or
- * the given domain is not valid and thus cannot be set.
- */
- if('.' == valuep[0]) {
- valuep++; /* ignore preceding dot */
- vlen--;
- }
- #ifndef USE_LIBPSL
- /*
- * Without PSL we do not know when the incoming cookie is set on a
- * TLD or otherwise "protected" suffix. To reduce risk, we require a
- * dot OR the exact hostname being "localhost".
- */
- if(bad_domain(valuep, vlen))
- domain = ":";
- #endif
- is_ip = Curl_host_is_ipnum(domain ? domain : valuep);
- if(!domain
- || (is_ip && !strncmp(valuep, domain, vlen) &&
- (vlen == strlen(domain)))
- || (!is_ip && cookie_tailmatch(valuep, vlen, domain))) {
- strstore(&co->domain, valuep, vlen);
- if(!co->domain) {
- badcookie = TRUE;
- break;
- }
- if(!is_ip)
- co->tailmatch = TRUE; /* we always do that if the domain name was
- given */
- }
- else {
- /*
- * We did not get a tailmatch and then the attempted set domain is
- * not a domain to which the current host belongs. Mark as bad.
- */
- badcookie = TRUE;
- infof(data, "skipped cookie with bad tailmatch domain: %s",
- valuep);
- }
- }
- else if((nlen == 7) && strncasecompare("version", namep, 7)) {
- /* just ignore */
- }
- else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
- /*
- * Defined in RFC2109:
- *
- * Optional. The Max-Age attribute defines the lifetime of the
- * cookie, in seconds. The delta-seconds value is a decimal non-
- * negative integer. After delta-seconds seconds elapse, the
- * client should discard the cookie. A value of zero means the
- * cookie should be discarded immediately.
- */
- CURLofft offt;
- const char *maxage = valuep;
- offt = curlx_strtoofft((*maxage == '\"') ?
- &maxage[1] : &maxage[0], NULL, 10,
- &co->expires);
- switch(offt) {
- case CURL_OFFT_FLOW:
- /* overflow, used max value */
- co->expires = CURL_OFF_T_MAX;
- break;
- case CURL_OFFT_INVAL:
- /* negative or otherwise bad, expire */
- co->expires = 1;
- break;
- case CURL_OFFT_OK:
- if(!co->expires)
- /* already expired */
- co->expires = 1;
- else if(CURL_OFF_T_MAX - now < co->expires)
- /* would overflow */
- co->expires = CURL_OFF_T_MAX;
- else
- co->expires += now;
- break;
- }
- }
- else if((nlen == 7) && strncasecompare("expires", namep, 7)) {
- char date[128];
- if(!co->expires && (vlen < sizeof(date))) {
- /* copy the date so that it can be null terminated */
- memcpy(date, valuep, vlen);
- date[vlen] = 0;
- /*
- * Let max-age have priority.
- *
- * If the date cannot get parsed for whatever reason, the cookie
- * will be treated as a session cookie
- */
- co->expires = Curl_getdate_capped(date);
- /*
- * Session cookies have expires set to 0 so if we get that back
- * from the date parser let's add a second to make it a
- * non-session cookie
- */
- if(co->expires == 0)
- co->expires = 1;
- else if(co->expires < 0)
- co->expires = 0;
- }
- }
- /*
- * Else, this is the second (or more) name we do not know about!
- */
- }
- else {
- /* this is an "illegal" <what>=<this> pair */
- }
- while(*ptr && ISBLANK(*ptr))
- ptr++;
- if(*ptr == ';')
- ptr++;
- else
- break;
- } while(1);
- if(!badcookie && !co->domain) {
- if(domain) {
- /* no domain was given in the header line, set the default */
- co->domain = strdup(domain);
- if(!co->domain)
- badcookie = TRUE;
- }
- }
- if(!badcookie && !co->path && path) {
- /*
- * No path was given in the header line, set the default. Note that the
- * passed-in path to this function MAY have a '?' and following part that
- * MUST NOT be stored as part of the path.
- */
- char *queryp = strchr(path, '?');
- /*
- * queryp is where the interesting part of the path ends, so now we
- * want to the find the last
- */
- char *endslash;
- if(!queryp)
- endslash = strrchr(path, '/');
- else
- endslash = memrchr(path, '/', (queryp - path));
- if(endslash) {
- size_t pathlen = (endslash-path + 1); /* include end slash */
- co->path = Curl_memdup0(path, pathlen);
- if(co->path) {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath)
- badcookie = TRUE; /* out of memory bad */
- }
- else
- badcookie = TRUE;
- }
- }
- /*
- * If we did not get a cookie name, or a bad one, the this is an illegal
- * line so bail out.
- */
- if(badcookie || !co->name) {
- freecookie(co);
- return NULL;
- }
- data->req.setcookies++;
- }
- else {
- /*
- * This line is NOT an HTTP header style line, we do offer support for
- * reading the odd netscape cookies-file format here
- */
- char *ptr;
- char *firstptr;
- char *tok_buf = NULL;
- int fields;
- /*
- * IE introduced HTTP-only cookies to prevent XSS attacks. Cookies marked
- * with httpOnly after the domain name are not accessible from javascripts,
- * but since curl does not operate at javascript level, we include them
- * anyway. In Firefox's cookie files, these lines are preceded with
- * #HttpOnly_ and then everything is as usual, so we skip 10 characters of
- * the line..
- */
- if(strncmp(lineptr, "#HttpOnly_", 10) == 0) {
- lineptr += 10;
- co->httponly = TRUE;
- }
- if(lineptr[0]=='#') {
- /* do not even try the comments */
- free(co);
- return NULL;
- }
- /* strip off the possible end-of-line characters */
- ptr = strchr(lineptr, '\r');
- if(ptr)
- *ptr = 0; /* clear it */
- ptr = strchr(lineptr, '\n');
- if(ptr)
- *ptr = 0; /* clear it */
- firstptr = strtok_r((char *)lineptr, "\t", &tok_buf); /* tokenize on TAB */
- /*
- * Now loop through the fields and init the struct we already have
- * allocated
- */
- fields = 0;
- for(ptr = firstptr; ptr && !badcookie;
- ptr = strtok_r(NULL, "\t", &tok_buf), fields++) {
- switch(fields) {
- case 0:
- if(ptr[0]=='.') /* skip preceding dots */
- ptr++;
- co->domain = strdup(ptr);
- if(!co->domain)
- badcookie = TRUE;
- break;
- case 1:
- /*
- * flag: A TRUE/FALSE value indicating if all machines within a given
- * domain can access the variable. Set TRUE when the cookie says
- * .domain.com and to false when the domain is complete www.domain.com
- */
- co->tailmatch = strcasecompare(ptr, "TRUE") ? TRUE : FALSE;
- break;
- case 2:
- /* The file format allows the path field to remain not filled in */
- if(strcmp("TRUE", ptr) && strcmp("FALSE", ptr)) {
- /* only if the path does not look like a boolean option! */
- co->path = strdup(ptr);
- if(!co->path)
- badcookie = TRUE;
- else {
- co->spath = sanitize_cookie_path(co->path);
- if(!co->spath) {
- badcookie = TRUE; /* out of memory bad */
- }
- }
- break;
- }
- /* this does not look like a path, make one up! */
- co->path = strdup("/");
- if(!co->path)
- badcookie = TRUE;
- co->spath = strdup("/");
- if(!co->spath)
- badcookie = TRUE;
- fields++; /* add a field and fall down to secure */
- FALLTHROUGH();
- case 3:
- co->secure = FALSE;
- if(strcasecompare(ptr, "TRUE")) {
- if(secure || c->running)
- co->secure = TRUE;
- else
- badcookie = TRUE;
- }
- break;
- case 4:
- if(curlx_strtoofft(ptr, NULL, 10, &co->expires))
- badcookie = TRUE;
- break;
- case 5:
- co->name = strdup(ptr);
- if(!co->name)
- badcookie = TRUE;
- else {
- /* For Netscape file format cookies we check prefix on the name */
- if(strncasecompare("__Secure-", co->name, 9))
- co->prefix |= COOKIE_PREFIX__SECURE;
- else if(strncasecompare("__Host-", co->name, 7))
- co->prefix |= COOKIE_PREFIX__HOST;
- }
- break;
- case 6:
- co->value = strdup(ptr);
- if(!co->value)
- badcookie = TRUE;
- break;
- }
- }
- if(6 == fields) {
- /* we got a cookie with blank contents, fix it */
- co->value = strdup("");
- if(!co->value)
- badcookie = TRUE;
- else
- fields++;
- }
- if(!badcookie && (7 != fields))
- /* we did not find the sufficient number of fields */
- badcookie = TRUE;
- if(badcookie) {
- freecookie(co);
- return NULL;
- }
- }
- if(co->prefix & COOKIE_PREFIX__SECURE) {
- /* The __Secure- prefix only requires that the cookie be set secure */
- if(!co->secure) {
- freecookie(co);
- return NULL;
- }
- }
- if(co->prefix & COOKIE_PREFIX__HOST) {
- /*
- * The __Host- prefix requires the cookie to be secure, have a "/" path
- * and not have a domain set.
- */
- if(co->secure && co->path && strcmp(co->path, "/") == 0 && !co->tailmatch)
- ;
- else {
- freecookie(co);
- return NULL;
- }
- }
- if(!c->running && /* read from a file */
- c->newsession && /* clean session cookies */
- !co->expires) { /* this is a session cookie since it does not expire! */
- freecookie(co);
- return NULL;
- }
- co->livecookie = c->running;
- co->creationtime = ++c->lastct;
- /*
- * Now we have parsed the incoming line, we must now check if this supersedes
- * an already existing cookie, which it may if the previous have the same
- * domain and path as this.
- */
- /* at first, remove expired cookies */
- if(!noexpire)
- remove_expired(c);
- #ifdef USE_LIBPSL
- /*
- * Check if the domain is a Public Suffix and if yes, ignore the cookie. We
- * must also check that the data handle is not NULL since the psl code will
- * dereference it.
- */
- DEBUGF(infof(data, "PSL check set-cookie '%s' for domain=%s in %s",
- co->name, co->domain, domain));
- if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) {
- bool acceptable = FALSE;
- char lcase[256];
- char lcookie[256];
- size_t dlen = strlen(domain);
- size_t clen = strlen(co->domain);
- if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- if(psl) {
- /* the PSL check requires lowercase domain name and pattern */
- Curl_strntolower(lcase, domain, dlen + 1);
- Curl_strntolower(lcookie, co->domain, clen + 1);
- acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
- Curl_psl_release(data);
- }
- else
- infof(data, "libpsl problem, rejecting cookie for satety");
- }
- if(!acceptable) {
- infof(data, "cookie '%s' dropped, domain '%s' must not "
- "set cookies for '%s'", co->name, domain, co->domain);
- freecookie(co);
- return NULL;
- }
- }
- #else
- DEBUGF(infof(data, "NO PSL to check set-cookie '%s' for domain=%s in %s",
- co->name, co->domain, domain));
- #endif
- /* A non-secure cookie may not overlay an existing secure cookie. */
- myhash = cookiehash(co->domain);
- clist = c->cookies[myhash];
- while(clist) {
- if(strcasecompare(clist->name, co->name)) {
- /* the names are identical */
- bool matching_domains = FALSE;
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain))
- /* The domains are identical */
- matching_domains = TRUE;
- }
- else if(!clist->domain && !co->domain)
- matching_domains = TRUE;
- if(matching_domains && /* the domains were identical */
- clist->spath && co->spath && /* both have paths */
- clist->secure && !co->secure && !secure) {
- size_t cllen;
- const char *sep;
- /*
- * A non-secure cookie may not overlay an existing secure cookie.
- * For an existing cookie "a" with path "/login", refuse a new
- * cookie "a" with for example path "/login/en", while the path
- * "/loginhelper" is ok.
- */
- sep = strchr(clist->spath + 1, '/');
- if(sep)
- cllen = sep - clist->spath;
- else
- cllen = strlen(clist->spath);
- if(strncasecompare(clist->spath, co->spath, cllen)) {
- infof(data, "cookie '%s' for domain '%s' dropped, would "
- "overlay an existing cookie", co->name, co->domain);
- freecookie(co);
- return NULL;
- }
- }
- }
- if(!replace_co && strcasecompare(clist->name, co->name)) {
- /* the names are identical */
- if(clist->domain && co->domain) {
- if(strcasecompare(clist->domain, co->domain) &&
- (clist->tailmatch == co->tailmatch))
- /* The domains are identical */
- replace_old = TRUE;
- }
- else if(!clist->domain && !co->domain)
- replace_old = TRUE;
- if(replace_old) {
- /* the domains were identical */
- if(clist->spath && co->spath &&
- !strcasecompare(clist->spath, co->spath))
- replace_old = FALSE;
- else if(!clist->spath != !co->spath)
- replace_old = FALSE;
- }
- if(replace_old && !co->livecookie && clist->livecookie) {
- /*
- * Both cookies matched fine, except that the already present cookie
- * is "live", which means it was set from a header, while the new one
- * was read from a file and thus is not "live". "live" cookies are
- * preferred so the new cookie is freed.
- */
- freecookie(co);
- return NULL;
- }
- if(replace_old) {
- replace_co = co;
- replace_clist = clist;
- }
- }
- lastc = clist;
- clist = clist->next;
- }
- if(replace_co) {
- co = replace_co;
- clist = replace_clist;
- co->next = clist->next; /* get the next-pointer first */
- /* when replacing, creationtime is kept from old */
- co->creationtime = clist->creationtime;
- /* then free all the old pointers */
- free(clist->name);
- free(clist->value);
- free(clist->domain);
- free(clist->path);
- free(clist->spath);
- *clist = *co; /* then store all the new data */
- free(co); /* free the newly allocated memory */
- co = clist;
- }
- if(c->running)
- /* Only show this when NOT reading the cookies from a file */
- infof(data, "%s cookie %s=\"%s\" for domain %s, path %s, "
- "expire %" FMT_OFF_T,
- replace_old ? "Replaced":"Added", co->name, co->value,
- co->domain, co->path, co->expires);
- if(!replace_old) {
- /* then make the last item point on this new one */
- if(lastc)
- lastc->next = co;
- else
- c->cookies[myhash] = co;
- c->numcookies++; /* one more cookie in the jar */
- }
- /*
- * Now that we have added a new cookie to the jar, update the expiration
- * tracker in case it is the next one to expire.
- */
- if(co->expires && (co->expires < c->next_expiration))
- c->next_expiration = co->expires;
- return co;
- }
- /*
- * Curl_cookie_init()
- *
- * Inits a cookie struct to read data from a local file. This is always
- * called before any cookies are set. File may be NULL in which case only the
- * struct is initialized. Is file is "-" then STDIN is read.
- *
- * If 'newsession' is TRUE, discard all "session cookies" on read from file.
- *
- * Note that 'data' might be called as NULL pointer. If data is NULL, 'file'
- * will be ignored.
- *
- * Returns NULL on out of memory. Invalid cookies are ignored.
- */
- struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
- const char *file,
- struct CookieInfo *inc,
- bool newsession)
- {
- struct CookieInfo *c;
- FILE *handle = NULL;
- if(!inc) {
- /* we did not get a struct, create one */
- c = calloc(1, sizeof(struct CookieInfo));
- if(!c)
- return NULL; /* failed to get memory */
- /*
- * Initialize the next_expiration time to signal that we do not have enough
- * information yet.
- */
- c->next_expiration = CURL_OFF_T_MAX;
- }
- else {
- /* we got an already existing one, use that */
- c = inc;
- }
- c->newsession = newsession; /* new session? */
- if(data) {
- FILE *fp = NULL;
- if(file && *file) {
- if(!strcmp(file, "-"))
- fp = stdin;
- else {
- fp = fopen(file, "rb");
- if(!fp)
- infof(data, "WARNING: failed to open cookie file \"%s\"", file);
- else
- handle = fp;
- }
- }
- c->running = FALSE; /* this is not running, this is init */
- if(fp) {
- struct dynbuf buf;
- Curl_dyn_init(&buf, MAX_COOKIE_LINE);
- while(Curl_get_line(&buf, fp)) {
- char *lineptr = Curl_dyn_ptr(&buf);
- bool headerline = FALSE;
- if(checkprefix("Set-Cookie:", lineptr)) {
- /* This is a cookie line, get it! */
- lineptr += 11;
- headerline = TRUE;
- while(*lineptr && ISBLANK(*lineptr))
- lineptr++;
- }
- Curl_cookie_add(data, c, headerline, TRUE, lineptr, NULL, NULL, TRUE);
- }
- Curl_dyn_free(&buf); /* free the line buffer */
- /*
- * Remove expired cookies from the hash. We must make sure to run this
- * after reading the file, and not on every cookie.
- */
- remove_expired(c);
- if(handle)
- fclose(handle);
- }
- data->state.cookie_engine = TRUE;
- }
- c->running = TRUE; /* now, we are running */
- return c;
- }
- /*
- * cookie_sort
- *
- * Helper function to sort cookies such that the longest path gets before the
- * shorter path. Path, domain and name lengths are considered in that order,
- * with the creationtime as the tiebreaker. The creationtime is guaranteed to
- * be unique per cookie, so we know we will get an ordering at that point.
- */
- static int cookie_sort(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- size_t l1, l2;
- /* 1 - compare cookie path lengths */
- l1 = c1->path ? strlen(c1->path) : 0;
- l2 = c2->path ? strlen(c2->path) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 2 - compare cookie domain lengths */
- l1 = c1->domain ? strlen(c1->domain) : 0;
- l2 = c2->domain ? strlen(c2->domain) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
- /* 3 - compare cookie name lengths */
- l1 = c1->name ? strlen(c1->name) : 0;
- l2 = c2->name ? strlen(c2->name) : 0;
- if(l1 != l2)
- return (l2 > l1) ? 1 : -1;
- /* 4 - compare cookie creation time */
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- /*
- * cookie_sort_ct
- *
- * Helper function to sort cookies according to creation time.
- */
- static int cookie_sort_ct(const void *p1, const void *p2)
- {
- struct Cookie *c1 = *(struct Cookie **)p1;
- struct Cookie *c2 = *(struct Cookie **)p2;
- return (c2->creationtime > c1->creationtime) ? 1 : -1;
- }
- #define CLONE(field) \
- do { \
- if(src->field) { \
- d->field = strdup(src->field); \
- if(!d->field) \
- goto fail; \
- } \
- } while(0)
- static struct Cookie *dup_cookie(struct Cookie *src)
- {
- struct Cookie *d = calloc(1, sizeof(struct Cookie));
- if(d) {
- CLONE(domain);
- CLONE(path);
- CLONE(spath);
- CLONE(name);
- CLONE(value);
- d->expires = src->expires;
- d->tailmatch = src->tailmatch;
- d->secure = src->secure;
- d->livecookie = src->livecookie;
- d->httponly = src->httponly;
- d->creationtime = src->creationtime;
- }
- return d;
- fail:
- freecookie(d);
- return NULL;
- }
- /*
- * Curl_cookie_getlist
- *
- * For a given host and path, return a linked list of cookies that the client
- * should send to the server if used now. The secure boolean informs the cookie
- * if a secure connection is achieved or not.
- *
- * It shall only return cookies that have not expired.
- */
- struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
- struct CookieInfo *c,
- const char *host, const char *path,
- bool secure)
- {
- struct Cookie *newco;
- struct Cookie *co;
- struct Cookie *mainco = NULL;
- size_t matches = 0;
- bool is_ip;
- const size_t myhash = cookiehash(host);
- if(!c || !c->cookies[myhash])
- return NULL; /* no cookie struct or no cookies in the struct */
- /* at first, remove expired cookies */
- remove_expired(c);
- /* check if host is an IP(v4|v6) address */
- is_ip = Curl_host_is_ipnum(host);
- co = c->cookies[myhash];
- while(co) {
- /* if the cookie requires we are secure we must only continue if we are! */
- if(co->secure ? secure : TRUE) {
- /* now check if the domain is correct */
- if(!co->domain ||
- (co->tailmatch && !is_ip &&
- cookie_tailmatch(co->domain, strlen(co->domain), host)) ||
- ((!co->tailmatch || is_ip) && strcasecompare(host, co->domain)) ) {
- /*
- * the right part of the host matches the domain stuff in the
- * cookie data
- */
- /*
- * now check the left part of the path with the cookies path
- * requirement
- */
- if(!co->spath || pathmatch(co->spath, path) ) {
- /*
- * and now, we know this is a match and we should create an
- * entry for the return-linked-list
- */
- newco = dup_cookie(co);
- if(newco) {
- /* then modify our next */
- newco->next = mainco;
- /* point the main to us */
- mainco = newco;
- matches++;
- if(matches >= MAX_COOKIE_SEND_AMOUNT) {
- infof(data, "Included max number of cookies (%zu) in request!",
- matches);
- break;
- }
- }
- else
- goto fail;
- }
- }
- }
- co = co->next;
- }
- if(matches) {
- /*
- * Now we need to make sure that if there is a name appearing more than
- * once, the longest specified path version comes first. To make this
- * the swiftest way, we just sort them all based on path length.
- */
- struct Cookie **array;
- size_t i;
- /* alloc an array and store all cookie pointers */
- array = malloc(sizeof(struct Cookie *) * matches);
- if(!array)
- goto fail;
- co = mainco;
- for(i = 0; co; co = co->next)
- array[i++] = co;
- /* now sort the cookie pointers in path length order */
- qsort(array, matches, sizeof(struct Cookie *), cookie_sort);
- /* remake the linked list order according to the new order */
- mainco = array[0]; /* start here */
- for(i = 0; i < matches-1; i++)
- array[i]->next = array[i + 1];
- array[matches-1]->next = NULL; /* terminate the list */
- free(array); /* remove the temporary data again */
- }
- return mainco; /* return the new list */
- fail:
- /* failure, clear up the allocated chain and return NULL */
- Curl_cookie_freelist(mainco);
- return NULL;
- }
- /*
- * Curl_cookie_clearall
- *
- * Clear all existing cookies and reset the counter.
- */
- void Curl_cookie_clearall(struct CookieInfo *cookies)
- {
- if(cookies) {
- unsigned int i;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- Curl_cookie_freelist(cookies->cookies[i]);
- cookies->cookies[i] = NULL;
- }
- cookies->numcookies = 0;
- }
- }
- /*
- * Curl_cookie_freelist
- *
- * Free a list of cookies previously returned by Curl_cookie_getlist();
- */
- void Curl_cookie_freelist(struct Cookie *co)
- {
- struct Cookie *next;
- while(co) {
- next = co->next;
- freecookie(co);
- co = next;
- }
- }
- /*
- * Curl_cookie_clearsess
- *
- * Free all session cookies in the cookies list.
- */
- void Curl_cookie_clearsess(struct CookieInfo *cookies)
- {
- struct Cookie *first, *curr, *next, *prev = NULL;
- unsigned int i;
- if(!cookies)
- return;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- if(!cookies->cookies[i])
- continue;
- first = curr = prev = cookies->cookies[i];
- for(; curr; curr = next) {
- next = curr->next;
- if(!curr->expires) {
- if(first == curr)
- first = next;
- if(prev == curr)
- prev = next;
- else
- prev->next = next;
- freecookie(curr);
- cookies->numcookies--;
- }
- else
- prev = curr;
- }
- cookies->cookies[i] = first;
- }
- }
- /*
- * Curl_cookie_cleanup()
- *
- * Free a "cookie object" previous created with Curl_cookie_init().
- */
- void Curl_cookie_cleanup(struct CookieInfo *c)
- {
- if(c) {
- unsigned int i;
- for(i = 0; i < COOKIE_HASH_SIZE; i++)
- Curl_cookie_freelist(c->cookies[i]);
- free(c); /* free the base struct as well */
- }
- }
- /*
- * get_netscape_format()
- *
- * Formats a string for Netscape output file, w/o a newline at the end.
- * Function returns a char * to a formatted line. The caller is responsible
- * for freeing the returned pointer.
- */
- static char *get_netscape_format(const struct Cookie *co)
- {
- return aprintf(
- "%s" /* httponly preamble */
- "%s%s\t" /* domain */
- "%s\t" /* tailmatch */
- "%s\t" /* path */
- "%s\t" /* secure */
- "%" FMT_OFF_T "\t" /* expires */
- "%s\t" /* name */
- "%s", /* value */
- co->httponly ? "#HttpOnly_" : "",
- /*
- * Make sure all domains are prefixed with a dot if they allow
- * tailmatching. This is Mozilla-style.
- */
- (co->tailmatch && co->domain && co->domain[0] != '.') ? "." : "",
- co->domain ? co->domain : "unknown",
- co->tailmatch ? "TRUE" : "FALSE",
- co->path ? co->path : "/",
- co->secure ? "TRUE" : "FALSE",
- co->expires,
- co->name,
- co->value ? co->value : "");
- }
- /*
- * cookie_output()
- *
- * Writes all internally known cookies to the specified file. Specify
- * "-" as filename to write to stdout.
- *
- * The function returns non-zero on write failure.
- */
- static CURLcode cookie_output(struct Curl_easy *data,
- struct CookieInfo *c, const char *filename)
- {
- struct Cookie *co;
- FILE *out = NULL;
- bool use_stdout = FALSE;
- char *tempstore = NULL;
- CURLcode error = CURLE_OK;
- if(!c)
- /* no cookie engine alive */
- return CURLE_OK;
- /* at first, remove expired cookies */
- remove_expired(c);
- if(!strcmp("-", filename)) {
- /* use stdout */
- out = stdout;
- use_stdout = TRUE;
- }
- else {
- error = Curl_fopen(data, filename, &out, &tempstore);
- if(error)
- goto error;
- }
- fputs("# Netscape HTTP Cookie File\n"
- "# https://curl.se/docs/http-cookies.html\n"
- "# This file was generated by libcurl! Edit at your own risk.\n\n",
- out);
- if(c->numcookies) {
- unsigned int i;
- size_t nvalid = 0;
- struct Cookie **array;
- array = calloc(1, sizeof(struct Cookie *) * c->numcookies);
- if(!array) {
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- /* only sort the cookies with a domain property */
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(co = c->cookies[i]; co; co = co->next) {
- if(!co->domain)
- continue;
- array[nvalid++] = co;
- }
- }
- qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
- for(i = 0; i < nvalid; i++) {
- char *format_ptr = get_netscape_format(array[i]);
- if(!format_ptr) {
- free(array);
- error = CURLE_OUT_OF_MEMORY;
- goto error;
- }
- fprintf(out, "%s\n", format_ptr);
- free(format_ptr);
- }
- free(array);
- }
- if(!use_stdout) {
- fclose(out);
- out = NULL;
- if(tempstore && Curl_rename(tempstore, filename)) {
- unlink(tempstore);
- error = CURLE_WRITE_ERROR;
- goto error;
- }
- }
- /*
- * If we reach here we have successfully written a cookie file so there is
- * no need to inspect the error, any error case should have jumped into the
- * error block below.
- */
- free(tempstore);
- return CURLE_OK;
- error:
- if(out && !use_stdout)
- fclose(out);
- free(tempstore);
- return error;
- }
- static struct curl_slist *cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list = NULL;
- struct curl_slist *beg;
- struct Cookie *c;
- char *line;
- unsigned int i;
- if(!data->cookies || (data->cookies->numcookies == 0))
- return NULL;
- for(i = 0; i < COOKIE_HASH_SIZE; i++) {
- for(c = data->cookies->cookies[i]; c; c = c->next) {
- if(!c->domain)
- continue;
- line = get_netscape_format(c);
- if(!line) {
- curl_slist_free_all(list);
- return NULL;
- }
- beg = Curl_slist_append_nodup(list, line);
- if(!beg) {
- free(line);
- curl_slist_free_all(list);
- return NULL;
- }
- list = beg;
- }
- }
- return list;
- }
- struct curl_slist *Curl_cookie_list(struct Curl_easy *data)
- {
- struct curl_slist *list;
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- list = cookie_list(data);
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- return list;
- }
- void Curl_flush_cookies(struct Curl_easy *data, bool cleanup)
- {
- CURLcode res;
- if(data->set.str[STRING_COOKIEJAR]) {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- /* if we have a destination file for all the cookies to get dumped to */
- res = cookie_output(data, data->cookies, data->set.str[STRING_COOKIEJAR]);
- if(res)
- infof(data, "WARNING: failed to save cookies in %s: %s",
- data->set.str[STRING_COOKIEJAR], curl_easy_strerror(res));
- }
- else {
- Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- }
- if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
- Curl_cookie_cleanup(data->cookies);
- data->cookies = NULL;
- }
- Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
- }
- #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_COOKIES */
|