1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: ***************************************************************************/
22:
23: /***
24:
25:
26: RECEIVING COOKIE INFORMATION
27: ============================
28:
29: struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
30: const char *file, struct CookieInfo *inc, bool newsession);
31:
32: Inits a cookie struct to store data in a local file. This is always
33: called before any cookies are set.
34:
35: struct Cookie *Curl_cookie_add(struct Curl_easy *data,
36: struct CookieInfo *c, bool httpheader, char *lineptr,
37: const char *domain, const char *path);
38:
39: The 'lineptr' parameter is a full "Set-cookie:" line as
40: received from a server.
41:
42: The function need to replace previously stored lines that this new
43: line supersedes.
44:
45: It may remove lines that are expired.
46:
47: It should return an indication of success/error.
48:
49:
50: SENDING COOKIE INFORMATION
51: ==========================
52:
53: struct Cookies *Curl_cookie_getlist(struct CookieInfo *cookie,
54: char *host, char *path, bool secure);
55:
56: For a given host and path, return a linked list of cookies that
57: the client should send to the server if used now. The secure
58: boolean informs the cookie if a secure connection is achieved or
59: not.
60:
61: It shall only return cookies that haven't expired.
62:
63:
64: Example set of cookies:
65:
66: Set-cookie: PRODUCTINFO=webxpress; domain=.fidelity.com; path=/; secure
67: Set-cookie: PERSONALIZE=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
68: domain=.fidelity.com; path=/ftgw; secure
69: Set-cookie: FidHist=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
70: domain=.fidelity.com; path=/; secure
71: Set-cookie: FidOrder=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
72: domain=.fidelity.com; path=/; secure
73: Set-cookie: DisPend=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
74: domain=.fidelity.com; path=/; secure
75: Set-cookie: FidDis=none;expires=Monday, 13-Jun-1988 03:04:55 GMT;
76: domain=.fidelity.com; path=/; secure
77: Set-cookie:
78: Session_Key@6791a9e0-901a-11d0-a1c8-9b012c88aa77=none;expires=Monday,
79: 13-Jun-1988 03:04:55 GMT; domain=.fidelity.com; path=/; secure
80: ****/
81:
82:
83: #include "curl_setup.h"
84:
85: #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_COOKIES)
86:
87: #include "urldata.h"
88: #include "cookie.h"
89: #include "psl.h"
90: #include "strtok.h"
91: #include "sendf.h"
92: #include "slist.h"
93: #include "share.h"
94: #include "strtoofft.h"
95: #include "strcase.h"
96: #include "curl_get_line.h"
97: #include "curl_memrchr.h"
98: #include "inet_pton.h"
99: #include "parsedate.h"
100: #include "rand.h"
101: #include "rename.h"
102:
103: /* The last 3 #include files should be in this order */
104: #include "curl_printf.h"
105: #include "curl_memory.h"
106: #include "memdebug.h"
107:
108: static void freecookie(struct Cookie *co)
109: {
110: free(co->expirestr);
111: free(co->domain);
112: free(co->path);
113: free(co->spath);
114: free(co->name);
115: free(co->value);
116: free(co->maxage);
117: free(co->version);
118: free(co);
119: }
120:
121: static bool tailmatch(const char *cooke_domain, const char *hostname)
122: {
123: size_t cookie_domain_len = strlen(cooke_domain);
124: size_t hostname_len = strlen(hostname);
125:
126: if(hostname_len < cookie_domain_len)
127: return FALSE;
128:
129: if(!strcasecompare(cooke_domain, hostname + hostname_len-cookie_domain_len))
130: return FALSE;
131:
132: /* A lead char of cookie_domain is not '.'.
133: RFC6265 4.1.2.3. The Domain Attribute says:
134: For example, if the value of the Domain attribute is
135: "example.com", the user agent will include the cookie in the Cookie
136: header when making HTTP requests to example.com, www.example.com, and
137: www.corp.example.com.
138: */
139: if(hostname_len == cookie_domain_len)
140: return TRUE;
141: if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
142: return TRUE;
143: return FALSE;
144: }
145:
146: /*
147: * Return true if the given string is an IP(v4|v6) address.
148: */
149: static bool isip(const char *domain)
150: {
151: struct in_addr addr;
152: #ifdef ENABLE_IPV6
153: struct in6_addr addr6;
154: #endif
155:
156: if(Curl_inet_pton(AF_INET, domain, &addr)
157: #ifdef ENABLE_IPV6
158: || Curl_inet_pton(AF_INET6, domain, &addr6)
159: #endif
160: ) {
161: /* domain name given as IP address */
162: return TRUE;
163: }
164:
165: return FALSE;
166: }
167:
168: /*
169: * matching cookie path and url path
170: * RFC6265 5.1.4 Paths and Path-Match
171: */
172: static bool pathmatch(const char *cookie_path, const char *request_uri)
173: {
174: size_t cookie_path_len;
175: size_t uri_path_len;
176: char *uri_path = NULL;
177: char *pos;
178: bool ret = FALSE;
179:
180: /* cookie_path must not have last '/' separator. ex: /sample */
181: cookie_path_len = strlen(cookie_path);
182: if(1 == cookie_path_len) {
183: /* cookie_path must be '/' */
184: return TRUE;
185: }
186:
187: uri_path = strdup(request_uri);
188: if(!uri_path)
189: return FALSE;
190: pos = strchr(uri_path, '?');
191: if(pos)
192: *pos = 0x0;
193:
194: /* #-fragments are already cut off! */
195: if(0 == strlen(uri_path) || uri_path[0] != '/') {
196: free(uri_path);
197: uri_path = strdup("/");
198: if(!uri_path)
199: return FALSE;
200: }
201:
202: /* here, RFC6265 5.1.4 says
203: 4. Output the characters of the uri-path from the first character up
204: to, but not including, the right-most %x2F ("/").
205: but URL path /hoge?fuga=xxx means /hoge/index.cgi?fuga=xxx in some site
206: without redirect.
207: Ignore this algorithm because /hoge is uri path for this case
208: (uri path is not /).
209: */
210:
211: uri_path_len = strlen(uri_path);
212:
213: if(uri_path_len < cookie_path_len) {
214: ret = FALSE;
215: goto pathmatched;
216: }
217:
218: /* not using checkprefix() because matching should be case-sensitive */
219: if(strncmp(cookie_path, uri_path, cookie_path_len)) {
220: ret = FALSE;
221: goto pathmatched;
222: }
223:
224: /* The cookie-path and the uri-path are identical. */
225: if(cookie_path_len == uri_path_len) {
226: ret = TRUE;
227: goto pathmatched;
228: }
229:
230: /* here, cookie_path_len < uri_path_len */
231: if(uri_path[cookie_path_len] == '/') {
232: ret = TRUE;
233: goto pathmatched;
234: }
235:
236: ret = FALSE;
237:
238: pathmatched:
239: free(uri_path);
240: return ret;
241: }
242:
243: /*
244: * Return the top-level domain, for optimal hashing.
245: */
246: static const char *get_top_domain(const char * const domain, size_t *outlen)
247: {
248: size_t len = 0;
249: const char *first = NULL, *last;
250:
251: if(domain) {
252: len = strlen(domain);
253: last = memrchr(domain, '.', len);
254: if(last) {
255: first = memrchr(domain, '.', (last - domain));
256: if(first)
257: len -= (++first - domain);
258: }
259: }
260:
261: if(outlen)
262: *outlen = len;
263:
264: return first? first: domain;
265: }
266:
267: /*
268: * A case-insensitive hash for the cookie domains.
269: */
270: static size_t cookie_hash_domain(const char *domain, const size_t len)
271: {
272: const char *end = domain + len;
273: size_t h = 5381;
274:
275: while(domain < end) {
276: h += h << 5;
277: h ^= Curl_raw_toupper(*domain++);
278: }
279:
280: return (h % COOKIE_HASH_SIZE);
281: }
282:
283: /*
284: * Hash this domain.
285: */
286: static size_t cookiehash(const char * const domain)
287: {
288: const char *top;
289: size_t len;
290:
291: if(!domain || isip(domain))
292: return 0;
293:
294: top = get_top_domain(domain, &len);
295: return cookie_hash_domain(top, len);
296: }
297:
298: /*
299: * cookie path sanitize
300: */
301: static char *sanitize_cookie_path(const char *cookie_path)
302: {
303: size_t len;
304: char *new_path = strdup(cookie_path);
305: if(!new_path)
306: return NULL;
307:
308: /* some stupid site sends path attribute with '"'. */
309: len = strlen(new_path);
310: if(new_path[0] == '\"') {
311: memmove((void *)new_path, (const void *)(new_path + 1), len);
312: len--;
313: }
314: if(len && (new_path[len - 1] == '\"')) {
315: new_path[len - 1] = 0x0;
316: len--;
317: }
318:
319: /* RFC6265 5.2.4 The Path Attribute */
320: if(new_path[0] != '/') {
321: /* Let cookie-path be the default-path. */
322: free(new_path);
323: new_path = strdup("/");
324: return new_path;
325: }
326:
327: /* convert /hoge/ to /hoge */
328: if(len && new_path[len - 1] == '/') {
329: new_path[len - 1] = 0x0;
330: }
331:
332: return new_path;
333: }
334:
335: /*
336: * Load cookies from all given cookie files (CURLOPT_COOKIEFILE).
337: *
338: * NOTE: OOM or cookie parsing failures are ignored.
339: */
340: void Curl_cookie_loadfiles(struct Curl_easy *data)
341: {
342: struct curl_slist *list = data->change.cookielist;
343: if(list) {
344: Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
345: while(list) {
346: struct CookieInfo *newcookies = Curl_cookie_init(data,
347: list->data,
348: data->cookies,
349: data->set.cookiesession);
350: if(!newcookies)
351: /* Failure may be due to OOM or a bad cookie; both are ignored
352: * but only the first should be
353: */
354: infof(data, "ignoring failed cookie_init for %s\n", list->data);
355: else
356: data->cookies = newcookies;
357: list = list->next;
358: }
359: curl_slist_free_all(data->change.cookielist); /* clean up list */
360: data->change.cookielist = NULL; /* don't do this again! */
361: Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
362: }
363: }
364:
365: /*
366: * strstore() makes a strdup() on the 'newstr' and if '*str' is non-NULL
367: * that will be freed before the allocated string is stored there.
368: *
369: * It is meant to easily replace strdup()
370: */
371: static void strstore(char **str, const char *newstr)
372: {
373: free(*str);
374: *str = strdup(newstr);
375: }
376:
377: /*
378: * remove_expired() removes expired cookies.
379: */
380: static void remove_expired(struct CookieInfo *cookies)
381: {
382: struct Cookie *co, *nx;
383: curl_off_t now = (curl_off_t)time(NULL);
384: unsigned int i;
385:
386: for(i = 0; i < COOKIE_HASH_SIZE; i++) {
387: struct Cookie *pv = NULL;
388: co = cookies->cookies[i];
389: while(co) {
390: nx = co->next;
391: if(co->expires && co->expires < now) {
392: if(!pv) {
393: cookies->cookies[i] = co->next;
394: }
395: else {
396: pv->next = co->next;
397: }
398: cookies->numcookies--;
399: freecookie(co);
400: }
401: else {
402: pv = co;
403: }
404: co = nx;
405: }
406: }
407: }
408:
409: /* Make sure domain contains a dot or is localhost. */
410: static bool bad_domain(const char *domain)
411: {
412: return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
413: }
414:
415: /****************************************************************************
416: *
417: * Curl_cookie_add()
418: *
419: * Add a single cookie line to the cookie keeping object.
420: *
421: * Be aware that sometimes we get an IP-only host name, and that might also be
422: * a numerical IPv6 address.
423: *
424: * Returns NULL on out of memory or invalid cookie. This is suboptimal,
425: * as they should be treated separately.
426: ***************************************************************************/
427:
428: struct Cookie *
429: Curl_cookie_add(struct Curl_easy *data,
430: /* The 'data' pointer here may be NULL at times, and thus
431: must only be used very carefully for things that can deal
432: with data being NULL. Such as infof() and similar */
433:
434: struct CookieInfo *c,
435: bool httpheader, /* TRUE if HTTP header-style line */
436: bool noexpire, /* if TRUE, skip remove_expired() */
437: char *lineptr, /* first character of the line */
438: const char *domain, /* default domain */
439: const char *path, /* full path used when this cookie is set,
440: used to get default path for the cookie
441: unless set */
442: bool secure) /* TRUE if connection is over secure origin */
443: {
444: struct Cookie *clist;
445: struct Cookie *co;
446: struct Cookie *lastc = NULL;
447: time_t now = time(NULL);
448: bool replace_old = FALSE;
449: bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
450: size_t myhash;
451:
452: #ifdef CURL_DISABLE_VERBOSE_STRINGS
453: (void)data;
454: #endif
455:
456: /* First, alloc and init a new struct for it */
457: co = calloc(1, sizeof(struct Cookie));
458: if(!co)
459: return NULL; /* bail out if we're this low on memory */
460:
461: if(httpheader) {
462: /* This line was read off a HTTP-header */
463: char name[MAX_NAME];
464: char what[MAX_NAME];
465: const char *ptr;
466: const char *semiptr;
467:
468: size_t linelength = strlen(lineptr);
469: if(linelength > MAX_COOKIE_LINE) {
470: /* discard overly long lines at once */
471: free(co);
472: return NULL;
473: }
474:
475: semiptr = strchr(lineptr, ';'); /* first, find a semicolon */
476:
477: while(*lineptr && ISBLANK(*lineptr))
478: lineptr++;
479:
480: ptr = lineptr;
481: do {
482: /* we have a <what>=<this> pair or a stand-alone word here */
483: name[0] = what[0] = 0; /* init the buffers */
484: if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%"
485: MAX_NAME_TXT "[^;\r\n]",
486: name, what)) {
487: /* Use strstore() below to properly deal with received cookie
488: headers that have the same string property set more than once,
489: and then we use the last one. */
490: const char *whatptr;
491: bool done = FALSE;
492: bool sep;
493: size_t len = strlen(what);
494: size_t nlen = strlen(name);
495: const char *endofn = &ptr[ nlen ];
496:
497: if(nlen >= (MAX_NAME-1) || len >= (MAX_NAME-1) ||
498: ((nlen + len) > MAX_NAME)) {
499: /* too long individual name or contents, or too long combination of
500: name + contents. Chrome and Firefox support 4095 or 4096 bytes
501: combo. */
502: freecookie(co);
503: infof(data, "oversized cookie dropped, name/val %zu + %zu bytes\n",
504: nlen, len);
505: return NULL;
506: }
507:
508: /* name ends with a '=' ? */
509: sep = (*endofn == '=')?TRUE:FALSE;
510:
511: if(nlen) {
512: endofn--; /* move to the last character */
513: if(ISBLANK(*endofn)) {
514: /* skip trailing spaces in name */
515: while(*endofn && ISBLANK(*endofn) && nlen) {
516: endofn--;
517: nlen--;
518: }
519: name[nlen] = 0; /* new end of name */
520: }
521: }
522:
523: /* Strip off trailing whitespace from the 'what' */
524: while(len && ISBLANK(what[len-1])) {
525: what[len-1] = 0;
526: len--;
527: }
528:
529: /* Skip leading whitespace from the 'what' */
530: whatptr = what;
531: while(*whatptr && ISBLANK(*whatptr))
532: whatptr++;
533:
534: /*
535: * Check if we have a reserved prefix set before anything else, as we
536: * otherwise have to test for the prefix in both the cookie name and
537: * "the rest". Prefixes must start with '__' and end with a '-', so
538: * only test for names where that can possibly be true.
539: */
540: if(nlen > 3 && name[0] == '_' && name[1] == '_') {
541: if(!strncmp("__Secure-", name, 9))
542: co->prefix |= COOKIE_PREFIX__SECURE;
543: else if(!strncmp("__Host-", name, 7))
544: co->prefix |= COOKIE_PREFIX__HOST;
545: }
546:
547: if(!co->name) {
548: /* The very first name/value pair is the actual cookie name */
549: if(!sep) {
550: /* Bad name/value pair. */
551: badcookie = TRUE;
552: break;
553: }
554: co->name = strdup(name);
555: co->value = strdup(whatptr);
556: done = TRUE;
557: if(!co->name || !co->value) {
558: badcookie = TRUE;
559: break;
560: }
561: }
562: else if(!len) {
563: /* this was a "<name>=" with no content, and we must allow
564: 'secure' and 'httponly' specified this weirdly */
565: done = TRUE;
566: /*
567: * secure cookies are only allowed to be set when the connection is
568: * using a secure protocol, or when the cookie is being set by
569: * reading from file
570: */
571: if(strcasecompare("secure", name)) {
572: if(secure || !c->running) {
573: co->secure = TRUE;
574: }
575: else {
576: badcookie = TRUE;
577: break;
578: }
579: }
580: else if(strcasecompare("httponly", name))
581: co->httponly = TRUE;
582: else if(sep)
583: /* there was a '=' so we're not done parsing this field */
584: done = FALSE;
585: }
586: if(done)
587: ;
588: else if(strcasecompare("path", name)) {
589: strstore(&co->path, whatptr);
590: if(!co->path) {
591: badcookie = TRUE; /* out of memory bad */
592: break;
593: }
594: free(co->spath); /* if this is set again */
595: co->spath = sanitize_cookie_path(co->path);
596: if(!co->spath) {
597: badcookie = TRUE; /* out of memory bad */
598: break;
599: }
600: }
601: else if(strcasecompare("domain", name)) {
602: bool is_ip;
603:
604: /* Now, we make sure that our host is within the given domain,
605: or the given domain is not valid and thus cannot be set. */
606:
607: if('.' == whatptr[0])
608: whatptr++; /* ignore preceding dot */
609:
610: #ifndef USE_LIBPSL
611: /*
612: * Without PSL we don't know when the incoming cookie is set on a
613: * TLD or otherwise "protected" suffix. To reduce risk, we require a
614: * dot OR the exact host name being "localhost".
615: */
616: if(bad_domain(whatptr))
617: domain = ":";
618: #endif
619:
620: is_ip = isip(domain ? domain : whatptr);
621:
622: if(!domain
623: || (is_ip && !strcmp(whatptr, domain))
624: || (!is_ip && tailmatch(whatptr, domain))) {
625: strstore(&co->domain, whatptr);
626: if(!co->domain) {
627: badcookie = TRUE;
628: break;
629: }
630: if(!is_ip)
631: co->tailmatch = TRUE; /* we always do that if the domain name was
632: given */
633: }
634: else {
635: /* we did not get a tailmatch and then the attempted set domain
636: is not a domain to which the current host belongs. Mark as
637: bad. */
638: badcookie = TRUE;
639: infof(data, "skipped cookie with bad tailmatch domain: %s\n",
640: whatptr);
641: }
642: }
643: else if(strcasecompare("version", name)) {
644: strstore(&co->version, whatptr);
645: if(!co->version) {
646: badcookie = TRUE;
647: break;
648: }
649: }
650: else if(strcasecompare("max-age", name)) {
651: /* Defined in RFC2109:
652:
653: Optional. The Max-Age attribute defines the lifetime of the
654: cookie, in seconds. The delta-seconds value is a decimal non-
655: negative integer. After delta-seconds seconds elapse, the
656: client should discard the cookie. A value of zero means the
657: cookie should be discarded immediately.
658:
659: */
660: strstore(&co->maxage, whatptr);
661: if(!co->maxage) {
662: badcookie = TRUE;
663: break;
664: }
665: }
666: else if(strcasecompare("expires", name)) {
667: strstore(&co->expirestr, whatptr);
668: if(!co->expirestr) {
669: badcookie = TRUE;
670: break;
671: }
672: }
673: /*
674: else this is the second (or more) name we don't know
675: about! */
676: }
677: else {
678: /* this is an "illegal" <what>=<this> pair */
679: }
680:
681: if(!semiptr || !*semiptr) {
682: /* we already know there are no more cookies */
683: semiptr = NULL;
684: continue;
685: }
686:
687: ptr = semiptr + 1;
688: while(*ptr && ISBLANK(*ptr))
689: ptr++;
690: semiptr = strchr(ptr, ';'); /* now, find the next semicolon */
691:
692: if(!semiptr && *ptr)
693: /* There are no more semicolons, but there's a final name=value pair
694: coming up */
695: semiptr = strchr(ptr, '\0');
696: } while(semiptr);
697:
698: if(co->maxage) {
699: CURLofft offt;
700: offt = curlx_strtoofft((*co->maxage == '\"')?
701: &co->maxage[1]:&co->maxage[0], NULL, 10,
702: &co->expires);
703: if(offt == CURL_OFFT_FLOW)
704: /* overflow, used max value */
705: co->expires = CURL_OFF_T_MAX;
706: else if(!offt) {
707: if(!co->expires)
708: /* already expired */
709: co->expires = 1;
710: else if(CURL_OFF_T_MAX - now < co->expires)
711: /* would overflow */
712: co->expires = CURL_OFF_T_MAX;
713: else
714: co->expires += now;
715: }
716: }
717: else if(co->expirestr) {
718: /* Note that if the date couldn't get parsed for whatever reason,
719: the cookie will be treated as a session cookie */
720: co->expires = Curl_getdate_capped(co->expirestr);
721:
722: /* Session cookies have expires set to 0 so if we get that back
723: from the date parser let's add a second to make it a
724: non-session cookie */
725: if(co->expires == 0)
726: co->expires = 1;
727: else if(co->expires < 0)
728: co->expires = 0;
729: }
730:
731: if(!badcookie && !co->domain) {
732: if(domain) {
733: /* no domain was given in the header line, set the default */
734: co->domain = strdup(domain);
735: if(!co->domain)
736: badcookie = TRUE;
737: }
738: }
739:
740: if(!badcookie && !co->path && path) {
741: /* No path was given in the header line, set the default.
742: Note that the passed-in path to this function MAY have a '?' and
743: following part that MUST not be stored as part of the path. */
744: char *queryp = strchr(path, '?');
745:
746: /* queryp is where the interesting part of the path ends, so now we
747: want to the find the last */
748: char *endslash;
749: if(!queryp)
750: endslash = strrchr(path, '/');
751: else
752: endslash = memrchr(path, '/', (queryp - path));
753: if(endslash) {
754: size_t pathlen = (endslash-path + 1); /* include end slash */
755: co->path = malloc(pathlen + 1); /* one extra for the zero byte */
756: if(co->path) {
757: memcpy(co->path, path, pathlen);
758: co->path[pathlen] = 0; /* zero terminate */
759: co->spath = sanitize_cookie_path(co->path);
760: if(!co->spath)
761: badcookie = TRUE; /* out of memory bad */
762: }
763: else
764: badcookie = TRUE;
765: }
766: }
767:
768: if(badcookie || !co->name) {
769: /* we didn't get a cookie name or a bad one,
770: this is an illegal line, bail out */
771: freecookie(co);
772: return NULL;
773: }
774:
775: }
776: else {
777: /* This line is NOT a HTTP header style line, we do offer support for
778: reading the odd netscape cookies-file format here */
779: char *ptr;
780: char *firstptr;
781: char *tok_buf = NULL;
782: int fields;
783:
784: /* IE introduced HTTP-only cookies to prevent XSS attacks. Cookies
785: marked with httpOnly after the domain name are not accessible
786: from javascripts, but since curl does not operate at javascript
787: level, we include them anyway. In Firefox's cookie files, these
788: lines are preceded with #HttpOnly_ and then everything is
789: as usual, so we skip 10 characters of the line..
790: */
791: if(strncmp(lineptr, "#HttpOnly_", 10) == 0) {
792: lineptr += 10;
793: co->httponly = TRUE;
794: }
795:
796: if(lineptr[0]=='#') {
797: /* don't even try the comments */
798: free(co);
799: return NULL;
800: }
801: /* strip off the possible end-of-line characters */
802: ptr = strchr(lineptr, '\r');
803: if(ptr)
804: *ptr = 0; /* clear it */
805: ptr = strchr(lineptr, '\n');
806: if(ptr)
807: *ptr = 0; /* clear it */
808:
809: firstptr = strtok_r(lineptr, "\t", &tok_buf); /* tokenize it on the TAB */
810:
811: /* Now loop through the fields and init the struct we already have
812: allocated */
813: for(ptr = firstptr, fields = 0; ptr && !badcookie;
814: ptr = strtok_r(NULL, "\t", &tok_buf), fields++) {
815: switch(fields) {
816: case 0:
817: if(ptr[0]=='.') /* skip preceding dots */
818: ptr++;
819: co->domain = strdup(ptr);
820: if(!co->domain)
821: badcookie = TRUE;
822: break;
823: case 1:
824: /* flag: A TRUE/FALSE value indicating if all machines within a given
825: domain can access the variable. Set TRUE when the cookie says
826: .domain.com and to false when the domain is complete www.domain.com
827: */
828: co->tailmatch = strcasecompare(ptr, "TRUE")?TRUE:FALSE;
829: break;
830: case 2:
831: /* The file format allows the path field to remain not filled in */
832: if(strcmp("TRUE", ptr) && strcmp("FALSE", ptr)) {
833: /* only if the path doesn't look like a boolean option! */
834: co->path = strdup(ptr);
835: if(!co->path)
836: badcookie = TRUE;
837: else {
838: co->spath = sanitize_cookie_path(co->path);
839: if(!co->spath) {
840: badcookie = TRUE; /* out of memory bad */
841: }
842: }
843: break;
844: }
845: /* this doesn't look like a path, make one up! */
846: co->path = strdup("/");
847: if(!co->path)
848: badcookie = TRUE;
849: co->spath = strdup("/");
850: if(!co->spath)
851: badcookie = TRUE;
852: fields++; /* add a field and fall down to secure */
853: /* FALLTHROUGH */
854: case 3:
855: co->secure = FALSE;
856: if(strcasecompare(ptr, "TRUE")) {
857: if(secure || c->running)
858: co->secure = TRUE;
859: else
860: badcookie = TRUE;
861: }
862: break;
863: case 4:
864: if(curlx_strtoofft(ptr, NULL, 10, &co->expires))
865: badcookie = TRUE;
866: break;
867: case 5:
868: co->name = strdup(ptr);
869: if(!co->name)
870: badcookie = TRUE;
871: else {
872: /* For Netscape file format cookies we check prefix on the name */
873: if(strncasecompare("__Secure-", co->name, 9))
874: co->prefix |= COOKIE_PREFIX__SECURE;
875: else if(strncasecompare("__Host-", co->name, 7))
876: co->prefix |= COOKIE_PREFIX__HOST;
877: }
878: break;
879: case 6:
880: co->value = strdup(ptr);
881: if(!co->value)
882: badcookie = TRUE;
883: break;
884: }
885: }
886: if(6 == fields) {
887: /* we got a cookie with blank contents, fix it */
888: co->value = strdup("");
889: if(!co->value)
890: badcookie = TRUE;
891: else
892: fields++;
893: }
894:
895: if(!badcookie && (7 != fields))
896: /* we did not find the sufficient number of fields */
897: badcookie = TRUE;
898:
899: if(badcookie) {
900: freecookie(co);
901: return NULL;
902: }
903:
904: }
905:
906: if(co->prefix & COOKIE_PREFIX__SECURE) {
907: /* The __Secure- prefix only requires that the cookie be set secure */
908: if(!co->secure) {
909: freecookie(co);
910: return NULL;
911: }
912: }
913: if(co->prefix & COOKIE_PREFIX__HOST) {
914: /*
915: * The __Host- prefix requires the cookie to be secure, have a "/" path
916: * and not have a domain set.
917: */
918: if(co->secure && co->path && strcmp(co->path, "/") == 0 && !co->tailmatch)
919: ;
920: else {
921: freecookie(co);
922: return NULL;
923: }
924: }
925:
926: if(!c->running && /* read from a file */
927: c->newsession && /* clean session cookies */
928: !co->expires) { /* this is a session cookie since it doesn't expire! */
929: freecookie(co);
930: return NULL;
931: }
932:
933: co->livecookie = c->running;
934: co->creationtime = ++c->lastct;
935:
936: /* now, we have parsed the incoming line, we must now check if this
937: supersedes an already existing cookie, which it may if the previous have
938: the same domain and path as this */
939:
940: /* at first, remove expired cookies */
941: if(!noexpire)
942: remove_expired(c);
943:
944: #ifdef USE_LIBPSL
945: /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
946: if(domain && co->domain && !isip(co->domain)) {
947: const psl_ctx_t *psl = Curl_psl_use(data);
948: int acceptable;
949:
950: if(psl) {
951: acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
952: Curl_psl_release(data);
953: }
954: else
955: acceptable = !bad_domain(domain);
956:
957: if(!acceptable) {
958: infof(data, "cookie '%s' dropped, domain '%s' must not "
959: "set cookies for '%s'\n", co->name, domain, co->domain);
960: freecookie(co);
961: return NULL;
962: }
963: }
964: #endif
965:
966: myhash = cookiehash(co->domain);
967: clist = c->cookies[myhash];
968: replace_old = FALSE;
969: while(clist) {
970: if(strcasecompare(clist->name, co->name)) {
971: /* the names are identical */
972:
973: if(clist->domain && co->domain) {
974: if(strcasecompare(clist->domain, co->domain) &&
975: (clist->tailmatch == co->tailmatch))
976: /* The domains are identical */
977: replace_old = TRUE;
978: }
979: else if(!clist->domain && !co->domain)
980: replace_old = TRUE;
981:
982: if(replace_old) {
983: /* the domains were identical */
984:
985: if(clist->spath && co->spath) {
986: if(clist->secure && !co->secure && !secure) {
987: size_t cllen;
988: const char *sep;
989:
990: /*
991: * A non-secure cookie may not overlay an existing secure cookie.
992: * For an existing cookie "a" with path "/login", refuse a new
993: * cookie "a" with for example path "/login/en", while the path
994: * "/loginhelper" is ok.
995: */
996:
997: sep = strchr(clist->spath + 1, '/');
998:
999: if(sep)
1000: cllen = sep - clist->spath;
1001: else
1002: cllen = strlen(clist->spath);
1003:
1004: if(strncasecompare(clist->spath, co->spath, cllen)) {
1005: freecookie(co);
1006: return NULL;
1007: }
1008: }
1009: else if(strcasecompare(clist->spath, co->spath))
1010: replace_old = TRUE;
1011: else
1012: replace_old = FALSE;
1013: }
1014: else if(!clist->spath && !co->spath)
1015: replace_old = TRUE;
1016: else
1017: replace_old = FALSE;
1018:
1019: }
1020:
1021: if(replace_old && !co->livecookie && clist->livecookie) {
1022: /* Both cookies matched fine, except that the already present
1023: cookie is "live", which means it was set from a header, while
1024: the new one isn't "live" and thus only read from a file. We let
1025: live cookies stay alive */
1026:
1027: /* Free the newcomer and get out of here! */
1028: freecookie(co);
1029: return NULL;
1030: }
1031:
1032: if(replace_old) {
1033: co->next = clist->next; /* get the next-pointer first */
1034:
1035: /* when replacing, creationtime is kept from old */
1036: co->creationtime = clist->creationtime;
1037:
1038: /* then free all the old pointers */
1039: free(clist->name);
1040: free(clist->value);
1041: free(clist->domain);
1042: free(clist->path);
1043: free(clist->spath);
1044: free(clist->expirestr);
1045: free(clist->version);
1046: free(clist->maxage);
1047:
1048: *clist = *co; /* then store all the new data */
1049:
1050: free(co); /* free the newly allocated memory */
1051: co = clist; /* point to the previous struct instead */
1052:
1053: /* We have replaced a cookie, now skip the rest of the list but
1054: make sure the 'lastc' pointer is properly set */
1055: do {
1056: lastc = clist;
1057: clist = clist->next;
1058: } while(clist);
1059: break;
1060: }
1061: }
1062: lastc = clist;
1063: clist = clist->next;
1064: }
1065:
1066: if(c->running)
1067: /* Only show this when NOT reading the cookies from a file */
1068: infof(data, "%s cookie %s=\"%s\" for domain %s, path %s, "
1069: "expire %" CURL_FORMAT_CURL_OFF_T "\n",
1070: replace_old?"Replaced":"Added", co->name, co->value,
1071: co->domain, co->path, co->expires);
1072:
1073: if(!replace_old) {
1074: /* then make the last item point on this new one */
1075: if(lastc)
1076: lastc->next = co;
1077: else
1078: c->cookies[myhash] = co;
1079: c->numcookies++; /* one more cookie in the jar */
1080: }
1081:
1082: return co;
1083: }
1084:
1085:
1086: /*****************************************************************************
1087: *
1088: * Curl_cookie_init()
1089: *
1090: * Inits a cookie struct to read data from a local file. This is always
1091: * called before any cookies are set. File may be NULL.
1092: *
1093: * If 'newsession' is TRUE, discard all "session cookies" on read from file.
1094: *
1095: * Note that 'data' might be called as NULL pointer.
1096: *
1097: * Returns NULL on out of memory. Invalid cookies are ignored.
1098: ****************************************************************************/
1099: struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
1100: const char *file,
1101: struct CookieInfo *inc,
1102: bool newsession)
1103: {
1104: struct CookieInfo *c;
1105: FILE *fp = NULL;
1106: bool fromfile = TRUE;
1107: char *line = NULL;
1108:
1109: if(NULL == inc) {
1110: /* we didn't get a struct, create one */
1111: c = calloc(1, sizeof(struct CookieInfo));
1112: if(!c)
1113: return NULL; /* failed to get memory */
1114: c->filename = strdup(file?file:"none"); /* copy the name just in case */
1115: if(!c->filename)
1116: goto fail; /* failed to get memory */
1117: }
1118: else {
1119: /* we got an already existing one, use that */
1120: c = inc;
1121: }
1122: c->running = FALSE; /* this is not running, this is init */
1123:
1124: if(file && !strcmp(file, "-")) {
1125: fp = stdin;
1126: fromfile = FALSE;
1127: }
1128: else if(file && !*file) {
1129: /* points to a "" string */
1130: fp = NULL;
1131: }
1132: else
1133: fp = file?fopen(file, FOPEN_READTEXT):NULL;
1134:
1135: c->newsession = newsession; /* new session? */
1136:
1137: if(fp) {
1138: char *lineptr;
1139: bool headerline;
1140:
1141: line = malloc(MAX_COOKIE_LINE);
1142: if(!line)
1143: goto fail;
1144: while(Curl_get_line(line, MAX_COOKIE_LINE, fp)) {
1145: if(checkprefix("Set-Cookie:", line)) {
1146: /* This is a cookie line, get it! */
1147: lineptr = &line[11];
1148: headerline = TRUE;
1149: }
1150: else {
1151: lineptr = line;
1152: headerline = FALSE;
1153: }
1154: while(*lineptr && ISBLANK(*lineptr))
1155: lineptr++;
1156:
1157: Curl_cookie_add(data, c, headerline, TRUE, lineptr, NULL, NULL, TRUE);
1158: }
1159: free(line); /* free the line buffer */
1160: remove_expired(c); /* run this once, not on every cookie */
1161:
1162: if(fromfile)
1163: fclose(fp);
1164: }
1165:
1166: c->running = TRUE; /* now, we're running */
1167: if(data)
1168: data->state.cookie_engine = TRUE;
1169:
1170: return c;
1171:
1172: fail:
1173: free(line);
1174: if(!inc)
1175: /* Only clean up if we allocated it here, as the original could still be in
1176: * use by a share handle */
1177: Curl_cookie_cleanup(c);
1178: if(fromfile && fp)
1179: fclose(fp);
1180: return NULL; /* out of memory */
1181: }
1182:
1183: /* sort this so that the longest path gets before the shorter path */
1184: static int cookie_sort(const void *p1, const void *p2)
1185: {
1186: struct Cookie *c1 = *(struct Cookie **)p1;
1187: struct Cookie *c2 = *(struct Cookie **)p2;
1188: size_t l1, l2;
1189:
1190: /* 1 - compare cookie path lengths */
1191: l1 = c1->path ? strlen(c1->path) : 0;
1192: l2 = c2->path ? strlen(c2->path) : 0;
1193:
1194: if(l1 != l2)
1195: return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
1196:
1197: /* 2 - compare cookie domain lengths */
1198: l1 = c1->domain ? strlen(c1->domain) : 0;
1199: l2 = c2->domain ? strlen(c2->domain) : 0;
1200:
1201: if(l1 != l2)
1202: return (l2 > l1) ? 1 : -1 ; /* avoid size_t <=> int conversions */
1203:
1204: /* 3 - compare cookie name lengths */
1205: l1 = c1->name ? strlen(c1->name) : 0;
1206: l2 = c2->name ? strlen(c2->name) : 0;
1207:
1208: if(l1 != l2)
1209: return (l2 > l1) ? 1 : -1;
1210:
1211: /* 4 - compare cookie creation time */
1212: return (c2->creationtime > c1->creationtime) ? 1 : -1;
1213: }
1214:
1215: /* sort cookies only according to creation time */
1216: static int cookie_sort_ct(const void *p1, const void *p2)
1217: {
1218: struct Cookie *c1 = *(struct Cookie **)p1;
1219: struct Cookie *c2 = *(struct Cookie **)p2;
1220:
1221: return (c2->creationtime > c1->creationtime) ? 1 : -1;
1222: }
1223:
1224: #define CLONE(field) \
1225: do { \
1226: if(src->field) { \
1227: d->field = strdup(src->field); \
1228: if(!d->field) \
1229: goto fail; \
1230: } \
1231: } while(0)
1232:
1233: static struct Cookie *dup_cookie(struct Cookie *src)
1234: {
1235: struct Cookie *d = calloc(sizeof(struct Cookie), 1);
1236: if(d) {
1237: CLONE(expirestr);
1238: CLONE(domain);
1239: CLONE(path);
1240: CLONE(spath);
1241: CLONE(name);
1242: CLONE(value);
1243: CLONE(maxage);
1244: CLONE(version);
1245: d->expires = src->expires;
1246: d->tailmatch = src->tailmatch;
1247: d->secure = src->secure;
1248: d->livecookie = src->livecookie;
1249: d->httponly = src->httponly;
1250: d->creationtime = src->creationtime;
1251: }
1252: return d;
1253:
1254: fail:
1255: freecookie(d);
1256: return NULL;
1257: }
1258:
1259: /*****************************************************************************
1260: *
1261: * Curl_cookie_getlist()
1262: *
1263: * For a given host and path, return a linked list of cookies that the
1264: * client should send to the server if used now. The secure boolean informs
1265: * the cookie if a secure connection is achieved or not.
1266: *
1267: * It shall only return cookies that haven't expired.
1268: *
1269: ****************************************************************************/
1270:
1271: struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
1272: const char *host, const char *path,
1273: bool secure)
1274: {
1275: struct Cookie *newco;
1276: struct Cookie *co;
1277: struct Cookie *mainco = NULL;
1278: size_t matches = 0;
1279: bool is_ip;
1280: const size_t myhash = cookiehash(host);
1281:
1282: if(!c || !c->cookies[myhash])
1283: return NULL; /* no cookie struct or no cookies in the struct */
1284:
1285: /* at first, remove expired cookies */
1286: remove_expired(c);
1287:
1288: /* check if host is an IP(v4|v6) address */
1289: is_ip = isip(host);
1290:
1291: co = c->cookies[myhash];
1292:
1293: while(co) {
1294: /* if the cookie requires we're secure we must only continue if we are! */
1295: if(co->secure?secure:TRUE) {
1296:
1297: /* now check if the domain is correct */
1298: if(!co->domain ||
1299: (co->tailmatch && !is_ip && tailmatch(co->domain, host)) ||
1300: ((!co->tailmatch || is_ip) && strcasecompare(host, co->domain)) ) {
1301: /* the right part of the host matches the domain stuff in the
1302: cookie data */
1303:
1304: /* now check the left part of the path with the cookies path
1305: requirement */
1306: if(!co->spath || pathmatch(co->spath, path) ) {
1307:
1308: /* and now, we know this is a match and we should create an
1309: entry for the return-linked-list */
1310:
1311: newco = dup_cookie(co);
1312: if(newco) {
1313: /* then modify our next */
1314: newco->next = mainco;
1315:
1316: /* point the main to us */
1317: mainco = newco;
1318:
1319: matches++;
1320: }
1321: else
1322: goto fail;
1323: }
1324: }
1325: }
1326: co = co->next;
1327: }
1328:
1329: if(matches) {
1330: /* Now we need to make sure that if there is a name appearing more than
1331: once, the longest specified path version comes first. To make this
1332: the swiftest way, we just sort them all based on path length. */
1333: struct Cookie **array;
1334: size_t i;
1335:
1336: /* alloc an array and store all cookie pointers */
1337: array = malloc(sizeof(struct Cookie *) * matches);
1338: if(!array)
1339: goto fail;
1340:
1341: co = mainco;
1342:
1343: for(i = 0; co; co = co->next)
1344: array[i++] = co;
1345:
1346: /* now sort the cookie pointers in path length order */
1347: qsort(array, matches, sizeof(struct Cookie *), cookie_sort);
1348:
1349: /* remake the linked list order according to the new order */
1350:
1351: mainco = array[0]; /* start here */
1352: for(i = 0; i<matches-1; i++)
1353: array[i]->next = array[i + 1];
1354: array[matches-1]->next = NULL; /* terminate the list */
1355:
1356: free(array); /* remove the temporary data again */
1357: }
1358:
1359: return mainco; /* return the new list */
1360:
1361: fail:
1362: /* failure, clear up the allocated chain and return NULL */
1363: Curl_cookie_freelist(mainco);
1364: return NULL;
1365: }
1366:
1367: /*****************************************************************************
1368: *
1369: * Curl_cookie_clearall()
1370: *
1371: * Clear all existing cookies and reset the counter.
1372: *
1373: ****************************************************************************/
1374: void Curl_cookie_clearall(struct CookieInfo *cookies)
1375: {
1376: if(cookies) {
1377: unsigned int i;
1378: for(i = 0; i < COOKIE_HASH_SIZE; i++) {
1379: Curl_cookie_freelist(cookies->cookies[i]);
1380: cookies->cookies[i] = NULL;
1381: }
1382: cookies->numcookies = 0;
1383: }
1384: }
1385:
1386: /*****************************************************************************
1387: *
1388: * Curl_cookie_freelist()
1389: *
1390: * Free a list of cookies previously returned by Curl_cookie_getlist();
1391: *
1392: ****************************************************************************/
1393:
1394: void Curl_cookie_freelist(struct Cookie *co)
1395: {
1396: struct Cookie *next;
1397: while(co) {
1398: next = co->next;
1399: freecookie(co);
1400: co = next;
1401: }
1402: }
1403:
1404:
1405: /*****************************************************************************
1406: *
1407: * Curl_cookie_clearsess()
1408: *
1409: * Free all session cookies in the cookies list.
1410: *
1411: ****************************************************************************/
1412: void Curl_cookie_clearsess(struct CookieInfo *cookies)
1413: {
1414: struct Cookie *first, *curr, *next, *prev = NULL;
1415: unsigned int i;
1416:
1417: if(!cookies)
1418: return;
1419:
1420: for(i = 0; i < COOKIE_HASH_SIZE; i++) {
1421: if(!cookies->cookies[i])
1422: continue;
1423:
1424: first = curr = prev = cookies->cookies[i];
1425:
1426: for(; curr; curr = next) {
1427: next = curr->next;
1428: if(!curr->expires) {
1429: if(first == curr)
1430: first = next;
1431:
1432: if(prev == curr)
1433: prev = next;
1434: else
1435: prev->next = next;
1436:
1437: freecookie(curr);
1438: cookies->numcookies--;
1439: }
1440: else
1441: prev = curr;
1442: }
1443:
1444: cookies->cookies[i] = first;
1445: }
1446: }
1447:
1448:
1449: /*****************************************************************************
1450: *
1451: * Curl_cookie_cleanup()
1452: *
1453: * Free a "cookie object" previous created with Curl_cookie_init().
1454: *
1455: ****************************************************************************/
1456: void Curl_cookie_cleanup(struct CookieInfo *c)
1457: {
1458: if(c) {
1459: unsigned int i;
1460: free(c->filename);
1461: for(i = 0; i < COOKIE_HASH_SIZE; i++)
1462: Curl_cookie_freelist(c->cookies[i]);
1463: free(c); /* free the base struct as well */
1464: }
1465: }
1466:
1467: /* get_netscape_format()
1468: *
1469: * Formats a string for Netscape output file, w/o a newline at the end.
1470: *
1471: * Function returns a char * to a formatted line. Has to be free()d
1472: */
1473: static char *get_netscape_format(const struct Cookie *co)
1474: {
1475: return aprintf(
1476: "%s" /* httponly preamble */
1477: "%s%s\t" /* domain */
1478: "%s\t" /* tailmatch */
1479: "%s\t" /* path */
1480: "%s\t" /* secure */
1481: "%" CURL_FORMAT_CURL_OFF_T "\t" /* expires */
1482: "%s\t" /* name */
1483: "%s", /* value */
1484: co->httponly?"#HttpOnly_":"",
1485: /* Make sure all domains are prefixed with a dot if they allow
1486: tailmatching. This is Mozilla-style. */
1487: (co->tailmatch && co->domain && co->domain[0] != '.')? ".":"",
1488: co->domain?co->domain:"unknown",
1489: co->tailmatch?"TRUE":"FALSE",
1490: co->path?co->path:"/",
1491: co->secure?"TRUE":"FALSE",
1492: co->expires,
1493: co->name,
1494: co->value?co->value:"");
1495: }
1496:
1497: /*
1498: * cookie_output()
1499: *
1500: * Writes all internally known cookies to the specified file. Specify
1501: * "-" as file name to write to stdout.
1502: *
1503: * The function returns non-zero on write failure.
1504: */
1505: static int cookie_output(struct Curl_easy *data,
1506: struct CookieInfo *c, const char *filename)
1507: {
1508: struct Cookie *co;
1509: FILE *out = NULL;
1510: bool use_stdout = FALSE;
1511: char *tempstore = NULL;
1512: bool error = false;
1513:
1514: if(!c)
1515: /* no cookie engine alive */
1516: return 0;
1517:
1518: /* at first, remove expired cookies */
1519: remove_expired(c);
1520:
1521: if(!strcmp("-", filename)) {
1522: /* use stdout */
1523: out = stdout;
1524: use_stdout = TRUE;
1525: }
1526: else {
1527: unsigned char randsuffix[9];
1528:
1529: if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
1530: return 2;
1531:
1532: tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
1533: if(!tempstore)
1534: return 1;
1535:
1536: out = fopen(tempstore, FOPEN_WRITETEXT);
1537: if(!out)
1538: goto error;
1539: }
1540:
1541: fputs("# Netscape HTTP Cookie File\n"
1542: "# https://curl.haxx.se/docs/http-cookies.html\n"
1543: "# This file was generated by libcurl! Edit at your own risk.\n\n",
1544: out);
1545:
1546: if(c->numcookies) {
1547: unsigned int i;
1548: size_t nvalid = 0;
1549: struct Cookie **array;
1550:
1551: array = calloc(1, sizeof(struct Cookie *) * c->numcookies);
1552: if(!array) {
1553: goto error;
1554: }
1555:
1556: /* only sort the cookies with a domain property */
1557: for(i = 0; i < COOKIE_HASH_SIZE; i++) {
1558: for(co = c->cookies[i]; co; co = co->next) {
1559: if(!co->domain)
1560: continue;
1561: array[nvalid++] = co;
1562: }
1563: }
1564:
1565: qsort(array, nvalid, sizeof(struct Cookie *), cookie_sort_ct);
1566:
1567: for(i = 0; i < nvalid; i++) {
1568: char *format_ptr = get_netscape_format(array[i]);
1569: if(format_ptr == NULL) {
1570: fprintf(out, "#\n# Fatal libcurl error\n");
1571: free(array);
1572: goto error;
1573: }
1574: fprintf(out, "%s\n", format_ptr);
1575: free(format_ptr);
1576: }
1577:
1578: free(array);
1579: }
1580:
1581: if(!use_stdout) {
1582: fclose(out);
1583: out = NULL;
1584: if(Curl_rename(tempstore, filename)) {
1585: unlink(tempstore);
1586: goto error;
1587: }
1588: }
1589:
1590: goto cleanup;
1591: error:
1592: error = true;
1593: cleanup:
1594: if(out && !use_stdout)
1595: fclose(out);
1596: free(tempstore);
1597: return error ? 1 : 0;
1598: }
1599:
1600: static struct curl_slist *cookie_list(struct Curl_easy *data)
1601: {
1602: struct curl_slist *list = NULL;
1603: struct curl_slist *beg;
1604: struct Cookie *c;
1605: char *line;
1606: unsigned int i;
1607:
1608: if((data->cookies == NULL) ||
1609: (data->cookies->numcookies == 0))
1610: return NULL;
1611:
1612: for(i = 0; i < COOKIE_HASH_SIZE; i++) {
1613: for(c = data->cookies->cookies[i]; c; c = c->next) {
1614: if(!c->domain)
1615: continue;
1616: line = get_netscape_format(c);
1617: if(!line) {
1618: curl_slist_free_all(list);
1619: return NULL;
1620: }
1621: beg = Curl_slist_append_nodup(list, line);
1622: if(!beg) {
1623: free(line);
1624: curl_slist_free_all(list);
1625: return NULL;
1626: }
1627: list = beg;
1628: }
1629: }
1630:
1631: return list;
1632: }
1633:
1634: struct curl_slist *Curl_cookie_list(struct Curl_easy *data)
1635: {
1636: struct curl_slist *list;
1637: Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
1638: list = cookie_list(data);
1639: Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
1640: return list;
1641: }
1642:
1643: void Curl_flush_cookies(struct Curl_easy *data, bool cleanup)
1644: {
1645: if(data->set.str[STRING_COOKIEJAR]) {
1646: if(data->change.cookielist) {
1647: /* If there is a list of cookie files to read, do it first so that
1648: we have all the told files read before we write the new jar.
1649: Curl_cookie_loadfiles() LOCKS and UNLOCKS the share itself! */
1650: Curl_cookie_loadfiles(data);
1651: }
1652:
1653: Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
1654:
1655: /* if we have a destination file for all the cookies to get dumped to */
1656: if(cookie_output(data, data->cookies, data->set.str[STRING_COOKIEJAR]))
1657: infof(data, "WARNING: failed to save cookies in %s\n",
1658: data->set.str[STRING_COOKIEJAR]);
1659: }
1660: else {
1661: if(cleanup && data->change.cookielist) {
1662: /* since nothing is written, we can just free the list of cookie file
1663: names */
1664: curl_slist_free_all(data->change.cookielist); /* clean up list */
1665: data->change.cookielist = NULL;
1666: }
1667: Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
1668: }
1669:
1670: if(cleanup && (!data->share || (data->cookies != data->share->cookies))) {
1671: Curl_cookie_cleanup(data->cookies);
1672: data->cookies = NULL;
1673: }
1674: Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
1675: }
1676:
1677: #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_COOKIES */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to cookie.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib