GNU bug report logs - #24757
25.1.50; url-cookie.el creates phantom cookie for HttpOnly

Previous Next

Package: emacs;

Reported by: Alain Schneble <a.s <at> realize.ch>

Date: Fri, 21 Oct 2016 16:37:02 UTC

Severity: normal

Tags: patch

Merged with 29282

Found in versions 25.1.50, 26.0.90

Fixed in version 26.1

Done: Katsumi Yamaoka <yamaoka <at> jpl.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Alain Schneble <a.s <at> realize.ch>
Cc: 24757 <at> debbugs.gnu.org
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Sun, 15 Apr 2018 21:47:35 +0200

Alain Schneble <a.s <at> realize.ch> writes:

> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly.  url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies.  This is wrong.  See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
>   (let ((file (make-temp-file "CookieHttpOnly")))
>     (with-temp-buffer
>       (insert
>        "(setq url-cookie-storage nil)\n"
>        "(setq url-cookie-secure-storage nil)")
>       (write-file file))
>     (setq url-cookie-file file)
>     (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
>     (url-cookie-write-file)
>     (find-file file))
> - The visited cookies file should now contain two cookie entries:
>   ("en.wikipedia.org"
>         [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
>         [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
>   => The second cookie entry is not expected.

I'm unable to reproduce this now, and I seem to vaguely remember this
being fixed a while ago?  Are you still seeing this, Alan?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 6 years and 299 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.