Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookies: the max expire time is 400 days #13543

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

cookies: the max expire time is 400 days #13543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 29 additions & 2 deletions lib/cookie.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,18 @@ static void strstore(char **str, const char *newstr, size_t len)
*str = Curl_memdup0(newstr, len);
}

static time_t time_now(void)
{
#ifdef DEBUGBUILD
char *timestr = getenv("CURL_TIME");
if(timestr) {
unsigned long val = strtol(timestr, NULL, 10);
return (time_t)val;
}
#endif
return time(NULL);
}

/*
* remove_expired
*
Expand All @@ -380,7 +392,7 @@ static void strstore(char **str, const char *newstr, size_t len)
static void remove_expired(struct CookieInfo *cookies)
{
struct Cookie *co, *nx;
curl_off_t now = (curl_off_t)time(NULL);
curl_off_t now = (curl_off_t)time_now();
unsigned int i;

/*
Expand Down Expand Up @@ -469,6 +481,18 @@ static int invalid_octets(const char *p)
return (p[len] != '\0');
}

/* number of seconds in 400 days */
#define MAXAGE (400*24*3600)

/* Make sure cookies never expire further away in time than 400 days into the
future. (from RFC6265bis draft-13 section 4.1.2.1) */
static void cap_expires(time_t now, struct Cookie *co)
{
if((TIME_T_MAX - MAXAGE) > now)
if(co->expires > (now + MAXAGE))
co->expires = now + MAXAGE;
}

/*
* Curl_cookie_add
*
Expand Down Expand Up @@ -496,7 +520,7 @@ Curl_cookie_add(struct Curl_easy *data,
struct Cookie *lastc = NULL;
struct Cookie *replace_co = NULL;
struct Cookie *replace_clist = NULL;
time_t now = time(NULL);
time_t now = time_now();
bool replace_old = FALSE;
bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
size_t myhash;
Expand Down Expand Up @@ -752,6 +776,7 @@ Curl_cookie_add(struct Curl_easy *data,
co->expires += now;
break;
}
cap_expires(now, co);
}
else if((nlen == 7) && strncasecompare("expires", namep, 7)) {
char date[128];
Expand All @@ -776,6 +801,8 @@ Curl_cookie_add(struct Curl_easy *data,
co->expires = 1;
else if(co->expires < 0)
co->expires = 0;
else
cap_expires(now, co);
}
}

Expand Down
17 changes: 8 additions & 9 deletions tests/data/test1415
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,12 @@ http://example.com/we/want/%TESTNUMBER -b none -c %LOGDIR/jar%TESTNUMBER.txt -x
<features>
cookies
proxy
debug
</features>
# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
<setenv>
CURL_TIME=1700129579
</setenv>
</client>

# Verify data after the test has been "shot"
Expand All @@ -78,15 +83,9 @@ Proxy-Connection: Keep-Alive
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

%if large-time
.example.com TRUE / FALSE 17545593600 test7value test7
.example.com TRUE / FALSE 17545593600 test4value test4
.example.com TRUE / FALSE 17545593600 test2value test2
%else
.example.com TRUE / FALSE 2145830400 test7value test7
.example.com TRUE / FALSE 2145830400 test4value test4
.example.com TRUE / FALSE 2145830400 test2value test2
%endif
.example.com TRUE / FALSE 1734689579 test7value test7
.example.com TRUE / FALSE 1734689579 test4value test4
.example.com TRUE / FALSE 1734689579 test2value test2
.example.com TRUE / FALSE 0 test1value test1
</file>
</verify>
Expand Down
11 changes: 6 additions & 5 deletions tests/data/test31
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,12 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
</precheck>
<features>
cookies
debug
</features>
# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
<setenv>
CURL_TIME=1700129579
</setenv>
</client>

# Verify data after the test has been "shot"
Expand All @@ -171,11 +176,7 @@ test31.curl FALSE /we/want/ FALSE 0 withspaces2 before equals
test31.curl FALSE /we/want/ FALSE 0 withspaces yes within and around
.test31.curl TRUE /we/want/ FALSE 0 blexp yesyes
#HttpOnly_test31.curl FALSE /silly/ FALSE 0 magic yessir
%if large-time
test31.curl FALSE /we/want/ FALSE 17517902187 nodomain value
%else
test31.curl FALSE /we/want/ FALSE 2118138987 nodomain value
%endif
test31.curl FALSE /we/want/ FALSE 1734689579 nodomain value
.test31.curl TRUE / FALSE 0 partmatch present
#HttpOnly_.test31.curl TRUE /p4/ FALSE 0 httponly myvalue1
#HttpOnly_.test31.curl TRUE /p4/ FALSE 0 httpo4 value4
Expand Down
11 changes: 7 additions & 4 deletions tests/data/test46
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,12 @@ domain..tld FALSE /want FALSE 0 empty
</file>
<features>
cookies
debug
</features>
# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
<setenv>
CURL_TIME=1700129579
</setenv>
</client>

# Verify data after the test has been "shot"
Expand All @@ -91,16 +96,14 @@ domain..tld FALSE /want/ FALSE 0 simplyhuge zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
domain..tld FALSE / FALSE 0 justaname
domain..tld FALSE / FALSE 0 ASPSESSIONIDQGGQQSJJ GKNBDIFAAOFDPDAIEAKDIBKE
domain..tld FALSE / FALSE 0 ckySession temporary
%if large-time
domain..tld FALSE / FALSE 17517902187 ckyPersistent permanent
domain..tld FALSE / FALSE 1734689579 ckyPersistent permanent
domain..tld FALSE /want FALSE 0 empty
%if large-time
#HttpOnly_domain..tld FALSE /want FALSE 22139150993 mooo2 indeed2
domain..tld FALSE / FALSE 22139150993 mooo indeed
www.loser.com FALSE / FALSE 22139150993 UID 99
www.fake.come FALSE / FALSE 22147483647 cookiecliente si
%else
domain..tld FALSE / FALSE 2118138987 ckyPersistent permanent
domain..tld FALSE /want FALSE 0 empty
#HttpOnly_domain..tld FALSE /want FALSE 2139150993 mooo2 indeed2
domain..tld FALSE / FALSE 2139150993 mooo indeed
www.loser.com FALSE / FALSE 2139150993 UID 99
Expand Down
14 changes: 7 additions & 7 deletions tests/data/test61
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,19 @@ HTTP with various cookies and custom Host:
# Explicitly set the time zone to a known good one, in case the user is
# using one of the 'right' zones that take into account leap seconds
# which causes the cookie expiry times to be different.

# This date is exactly: Thu Nov 16 10:12:59 AM UTC 2023
<setenv>
TZ=GMT
CURL_TIME=1700129579
</setenv>
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -c %LOGDIR/jar%TESTNUMBER.txt -H "Host: www.host.foo.com"
</command>
<features>
cookies
debug
</features>
</client>

Expand All @@ -71,13 +76,8 @@ Accept: */*
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

%if large-time
.host.foo.com TRUE /we/want/ FALSE 17517902187 test2 yes
#HttpOnly_.foo.com TRUE /we/want/ FALSE 17517902187 test yes
%else
.host.foo.com TRUE /we/want/ FALSE 2118138987 test2 yes
#HttpOnly_.foo.com TRUE /we/want/ FALSE 2118138987 test yes
%endif
.host.foo.com TRUE /we/want/ FALSE 1734689579 test2 yes
#HttpOnly_.foo.com TRUE /we/want/ FALSE 1734689579 test yes
</file>
</verify>
</testcase>