[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
From: |
Lars Ingebrigtsen |
Subject: |
bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly |
Date: |
Sun, 15 Apr 2018 21:47:35 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Alain Schneble <a.s@realize.ch> writes:
> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly. url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies. This is wrong. See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
> (let ((file (make-temp-file "CookieHttpOnly")))
> (with-temp-buffer
> (insert
> "(setq url-cookie-storage nil)\n"
> "(setq url-cookie-secure-storage nil)")
> (write-file file))
> (setq url-cookie-file file)
> (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
> (url-cookie-write-file)
> (find-file file))
> - The visited cookies file should now contain two cookie entries:
> ("en.wikipedia.org"
> [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016
> 12:00:00 GMT" "/" "en.wikipedia.org" t]
> [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/"
> "en.wikipedia.org" t])
> => The second cookie entry is not expected.
I'm unable to reproduce this now, and I seem to vaguely remember this
being fixed a while ago? Are you still seeing this, Alan?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly,
Lars Ingebrigtsen <=