Package: emacs;
Reported by: Alain Schneble <a.s <at> realize.ch>
Date: Fri, 21 Oct 2016 16:37:02 UTC
Severity: normal
Tags: patch
Merged with 29282
Found in versions 25.1.50, 26.0.90
Fixed in version 26.1
Done: Katsumi Yamaoka <yamaoka <at> jpl.org>
Bug is archived. No further changes may be made.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Alain Schneble <a.s <at> realize.ch> To: <bug-gnu-emacs <at> gnu.org> Subject: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly Date: Fri, 21 Oct 2016 18:35:11 +0200
Processing an HTTP response with a Set-Cookie header and HttpOnly
attribute creates a phantom cookie with name HttpOnly. url-cookie.el
(url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
as the name of an additional cookie, thus interpreting Set-Cookie header
value as it would contain multiple cookies. This is wrong. See also
RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
https://www.rfc-editor.org/rfc/rfc6265.txt.
Here's a recipe to reproduce this issue:
- emacs -Q
- Eval the following fragment:
(let ((file (make-temp-file "CookieHttpOnly")))
(with-temp-buffer
(insert
"(setq url-cookie-storage nil)\n"
"(setq url-cookie-secure-storage nil)")
(write-file file))
(setq url-cookie-file file)
(url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
(url-cookie-write-file)
(find-file file))
- The visited cookies file should now contain two cookie entries:
("en.wikipedia.org"
[url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
[url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
=> The second cookie entry is not expected.
I would be happy to arrange a patch to solve this issue, but would like
first to discuss which approach to choose:
1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
value.
2. Extend the url-cookie cl-defstruct to contain an additional slot
HTTPONLY. Its value would be t if HttpOnly attribute was detected in
Set-Cookie's header value, nil otherwise.
I could live with both. What would you prefer?
Alain
In GNU Emacs 25.1.50.1 (x86_64-w64-mingw32)
of 2016-09-27 built on MYNGB
Repository revision: bbf1ffd7c74bdf3ea766580788f7f4adb98a47f0
Windowing system distributor 'Microsoft Corp.', version 10.0.10586
Configured using:
'configure --prefix /c/usr/bin/emacs-25.1 --without-imagemagick'
Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY ACL GNUTLS LIBXML2 ZLIB
TOOLKIT_SCROLL_BARS
Important settings:
value of $LANG: DES
locale-coding-system: cp1252
Major mode: Emacs-Lisp
Minor modes in effect:
diff-auto-refine-mode: t
shell-dirtrack-mode: t
linum-mode: t
paredit-mode: t
winner-mode: t
icomplete-mode: t
show-paren-mode: t
display-time-mode: t
display-battery-mode: t
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
column-number-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
Mark activated
Insomnium ―― 2014 - Shadows of the Dying Sun [Limited Digipack Edition] (2014) ―― 204-the descent.mp3
Mark set [5 times]
Insomnium ―― 2011 - One For Sorrow (2014) ―― 01 Inertia.mp3
Mark set
Making completion list...
command-execute: Command attempted to use minibuffer while in minibuffer
Quit
Mark set [2 times]
Making completion list...
Quit [2 times]
Features:
(shadow emacsbug debug shr-color color timezone eww mm-url url-queue shr
dom browse-url pcmpl-unix em-unix em-term term ehelp em-script em-prompt
em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner
em-alias esh-var esh-io esh-cmd esh-opt esh-ext esh-proc esh-arg
esh-groups eshell esh-module esh-mode esh-util nndoc gnus-dup crm
debbugs-gnu add-log debbugs soap-client xml org-indent
sanityinc-tomorrow-eighties-theme warnings compile autoload tar-mode
lisp-mnt mm-archive url-handlers url-http url-gw url-cache url-auth url
url-proxy url-privacy url-expand url-methods url-history url-cookie
url-domsuf url-util url-parse url-vars pp ace-window ace-jump-mode
advice cl vc-dispatcher vc-svn nxml-uchnm rng-xsd xsd-regexp rng-cmpct
rng-nxml rng-valid rng-loc rng-uri rng-parse nxml-parse rng-match rng-dt
rng-util rng-pttrn nxml-ns nxml-mode nxml-outln nxml-rap nxml-util
nxml-glyph nxml-enc xmltok apropos tmm artist picture reporter rect
bongo lastfm-submit vc-git diff-mode org-element org-rmail org-mhe
org-irc org-info org-gnus org-docview doc-view subr-x image-mode
org-bibtex bibtex org-bbdb org-w3m shell find-dired gnus-fun jka-compr
misearch multi-isearch eieio-opt speedbar sb-image ezimage dframe
thingatpt nnfolder mailalias smtpmail sendmail nnir qp sort smiley
gnus-cite mail-extr gnus-async gnus-bcklg gnus-ml nndraft nnmh
network-stream nsm auth-source cl-seq starttls gnus-agent gnus-srvr
gnus-score score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view
mml-smime smime dig mailcap nntp gnus-cache gnus-sum gnus-group
gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source tls gnutls
utf7 netrc nnoo parse-time gnus-spec gnus-int gnus-range message dired
rfc822 mml mml-sec password-cache epg mm-decode mm-bodies mm-encode
mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev gmm-utils
mailheader gnus-win linum paredit winner ob-ditaa ob-gnuplot org
org-macro org-footnote org-pcomplete pcomplete org-list org-faces
org-entities noutline outline easy-mmode org-version ob-emacs-lisp ob
ob-tangle ob-ref ob-lob ob-table ob-exp org-src ob-keys ob-comint comint
ansi-color ring ob-core ob-eval org-compat org-macs org-loaddefs
format-spec find-func cal-menu calendar cal-loaddefs server ido
icomplete sanityinc-tomorrow-night-theme sanityinc-tomorrow-bright-theme
color-theme-sanityinc-tomorrow paren gnus gnus-ems nnheader gnus-util
mail-utils mm-util help-fns mail-prsvr wid-edit time battery cus-start
cus-load finder-inf ac-js2-autoloads ace-window-autoloads
ace-jump-mode-autoloads bongo-autoloads
color-theme-sanityinc-tomorrow-autoloads company-autoloads
emms-autoloads expand-region-autoloads gnuplot-autoloads
gnuplot-mode-autoloads google-this-autoloads js2-refactor-autoloads
json-mode-autoloads json-reformat-autoloads json-snatcher-autoloads
eieio eieio-core cl-macs multiple-cursors-autoloads
auto-complete-autoloads flycheck-autoloads paredit-autoloads
pkg-info-autoloads epl-autoloads popup-autoloads s-autoloads
skewer-mode-autoloads js2-mode-autoloads simple-httpd-autoloads
solarized-theme-autoloads spacegray-theme-autoloads swift-mode-autoloads
info yasnippet-autoloads zenburn-theme-autoloads package epg-config seq
byte-opt gv bytecomp byte-compile cl-extra help-mode easymenu cconv
edmacro kmacro cl-loaddefs pcase cl-lib time-date mule-util tooltip
eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
dos-w32 ls-lisp disp-table w32-win w32-vars term/common-win tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame
cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian
slovak czech european ethiopic indian cyrillic chinese charscript
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote w32notify w32 multi-tty
make-network-process emacs)
Memory information:
((conses 16 1451456 275303)
(symbols 56 52346 0)
(miscs 48 3682 1278)
(strings 32 219721 96665)
(string-bytes 1 6292673)
(vectors 16 69870)
(vector-slots 8 1820989 19661)
(floats 8 3501 683)
(intervals 56 148195 1586)
(buffers 976 118))
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.