From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 13 03:44:14 2017 Received: (at submit) by debbugs.gnu.org; 13 Nov 2017 08:44:14 +0000 Received: from localhost ([127.0.0.1]:37652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALl-000826-S7 for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:14 -0500 Received: from eggs.gnu.org ([208.118.235.92]:34716) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALj-00081s-Lk for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALd-0007Gr-5X for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50, T_TVD_MIME_NO_HEADERS autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36657) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALd-0007Gl-2T for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53920) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eEALb-0002Qc-N3 for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALW-0007AP-OK for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:03 -0500 Received: from mail-hampton.hostforweb.net ([205.234.186.191]:34869 helo=hampton.hostforweb.net) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALW-00079w-JI for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:43:58 -0500 Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000 helo=localhost) by hampton.hostforweb.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eEALS-002KjH-5x; Mon, 13 Nov 2017 02:43:55 -0600 Date: Mon, 13 Nov 2017 17:43:52 +0900 Message-ID: From: Katsumi Yamaoka To: bug-gnu-emacs@gnu.org Subject: 26.0.90; url-cookie.el: a cookie handling bug Organization: Emacsen advocacy group X-Face: #kKnN,xUnmKia.'[pp`; Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&( User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (i686-pc-cygwin) Cancel-Lock: sha1:A6FzgOBhqhbRR0vERuPa/LKfbO4= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hampton.hostforweb.net X-AntiAbuse: Original Domain - gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jpl.org X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id: yamaoka/from_h X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org X-Source: X-Source-Args: X-Source-Dir: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (barebone) [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Hi, A cookie is fed from a web site via the Set-Cookie header like this: Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31 GMT; Path=/; HTTPOnly In this case, NAME and VALUE appearing in the beginning is the cookie, and the others are its attributions. However, url-cookie recognizes Max-Age, HTTPOnly, etc. as individual cookies, and sends them to the web site when a user posts forms in the page. This will cause "500 Internal Server Error" in some web site[1]. In additin, although Max-Age should be preferred to Expires[2], url-cookie doesn't process it. A patch is below. [1] Try visiting and in turn using eww. To try the patched url-cookie.el, you have to delete those bogus cookies in advance. An easy way to do that is to shutdown Emacs and to delete the "~/.emacs.d/url/cookies" file. [2] * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Regard a Set-Cookie header as it contains a single cookie; prefer Max-Age to Expires and convert it to Expires; remove support for old time string styles. --=-=-= Content-Type: text/x-patch Content-Disposition: inline --- url-cookie.el~ 2017-11-09 22:09:37.790145300 +0000 +++ url-cookie.el 2017-11-13 08:41:08.487776400 +0000 @@ -249,44 +249,20 @@ (current-url (url-view-url t)) (trusted url-cookie-trusted-urls) (untrusted url-cookie-untrusted-urls) - (expires (cdr-safe (assoc-string "expires" args t))) + (max-age (cdr-safe (assoc-string "max-age" args t))) (localpart (or (cdr-safe (assoc-string "path" args t)) (file-name-directory (url-filename url-current-object)))) - (rest nil)) + (expires nil) (rest nil)) (dolist (this args) - (or (member (downcase (car this)) '("secure" "domain" "expires" "path")) + (or (member (downcase (car this)) + '("secure" "domain" "max-age" "expires" "path")) (setq rest (cons this rest)))) - - ;; Sometimes we get dates that the timezone package cannot handle very - ;; gracefully - take care of this here, instead of in url-cookie-expired-p - ;; to speed things up. - (and expires - (string-match - (concat "^[^,]+, +\\(..\\)-\\(...\\)-\\(..\\) +" - "\\(..:..:..\\) +\\[*\\([^]]+\\)\\]*$") - expires) - (setq expires (concat (match-string 1 expires) " " - (match-string 2 expires) " " - (match-string 3 expires) " " - (match-string 4 expires) " [" - (match-string 5 expires) "]"))) - - ;; This one is for older Emacs/XEmacs variants that don't - ;; understand this format without tenths of a second in it. - ;; Wednesday, 30-Dec-2037 16:00:00 GMT - ;; - vs - - ;; Wednesday, 30-Dec-2037 16:00:00.00 GMT - (and expires - (string-match - "\\([0-9]+\\)-\\([A-Za-z]+\\)-\\([0-9]+\\)[ \t]+\\([0-9]+:[0-9]+:[0-9]+\\)\\(\\.[0-9]+\\)*[ \t]+\\([-+a-zA-Z0-9]+\\)" - expires) - (setq expires (concat (match-string 1 expires) "-" ; day - (match-string 2 expires) "-" ; month - (match-string 3 expires) " " ; year - (match-string 4 expires) ".00 " ; hour:minutes:seconds - (match-string 6 expires)))) ":" ; timezone - + (if (and max-age (string-match "\\`-?[0-9]+\\'" max-age)) + (setq expires (format-time-string "%a %b %d %H:%M:%S %Y GMT" + (time-add nil (read max-age)) + t)) + (setq expires (cdr-safe (assoc-string "expires" args t)))) (while (consp trusted) (if (string-match (car trusted) current-url) (setq trusted (- (match-end 0) (match-beginning 0))) @@ -322,8 +298,8 @@ nil) ((url-cookie-host-can-set-p (url-host url-current-object) domain) ;; Cookie is accepted by the user, and passes our security checks. - (dolist (cur rest) - (url-cookie-store (car cur) (cdr cur) expires domain localpart secure))) + (url-cookie-store (caar rest) (cdar rest) + expires domain localpart secure)) (t (url-lazy-message "%s tried to set a cookie for domain %s - rejected." (url-host url-current-object) domain))))) --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 13 18:58:02 2017 Received: (at 29282-done) by debbugs.gnu.org; 13 Nov 2017 23:58:02 +0000 Received: from localhost ([127.0.0.1]:39090 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEOc6-0005f8-Ao for submit@debbugs.gnu.org; Mon, 13 Nov 2017 18:58:02 -0500 Received: from mail-hampton.hostforweb.net ([205.234.186.191]:47078 helo=hampton.hostforweb.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEOc4-0005eo-GP for 29282-done@debbugs.gnu.org; Mon, 13 Nov 2017 18:58:01 -0500 Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000 helo=localhost) by hampton.hostforweb.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eEObw-0020I4-R7 for 29282-done@debbugs.gnu.org; Mon, 13 Nov 2017 17:57:53 -0600 Date: Tue, 14 Nov 2017 08:57:51 +0900 Message-ID: From: Katsumi Yamaoka To: 29282-done@debbugs.gnu.org Subject: Re: bug#29282: 26.0.90; url-cookie.el: a cookie handling bug References: Organization: Emacsen advocacy group X-Face: #kKnN,xUnmKia.'[pp`; Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&( User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (i686-pc-cygwin) Cancel-Lock: sha1:VeVpLVV4abdwfieFPQmpCjoB3T8= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hampton.hostforweb.net X-AntiAbuse: Original Domain - debbugs.gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jpl.org X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id: yamaoka/from_h X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org X-Source: X-Source-Args: X-Source-Dir: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29282-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) I've installed the patch (slightly improved) in emacs-26. Eww and url package users may want to remove old cookies store. > An easy way to do that is to shutdown Emacs and to delete > the "~/.emacs.d/url/cookies" file. Thanks. On Mon, 13 Nov 2017 17:43:52 +0900, Katsumi Yamaoka wrote: > Hi, > A cookie is fed from a web site via the Set-Cookie header like > this: > Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31 GMT; Path=/; HTTPOnly > In this case, NAME and VALUE appearing in the beginning is the > cookie, and the others are its attributions. However, url-cookie > recognizes Max-Age, HTTPOnly, etc. as individual cookies, and > sends them to the web site when a user posts forms in the page. > This will cause "500 Internal Server Error" in some web site[1]. > In additin, although Max-Age should be preferred to Expires[2], > url-cookie doesn't process it. > A patch is below. > [1] Try visiting and > > in turn using eww. > To try the patched url-cookie.el, you have to delete those bogus > cookies in advance. An easy way to do that is to shutdown Emacs > and to delete the "~/.emacs.d/url/cookies" file. > [2] > * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): > Regard a Set-Cookie header as it contains a single cookie; > prefer Max-Age to Expires and convert it to Expires; > remove support for old time string styles. [...] From unknown Sat Jun 21 03:30:36 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 12 Dec 2017 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 30 22:09:05 2018 Received: (at control) by debbugs.gnu.org; 31 Jul 2018 02:09:05 +0000 Received: from localhost ([127.0.0.1]:35612 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fkK5t-0000Jq-Te for submit@debbugs.gnu.org; Mon, 30 Jul 2018 22:09:05 -0400 Received: from mail-it0-f50.google.com ([209.85.214.50]:55413) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fkK5o-0000JE-5g; Mon, 30 Jul 2018 22:09:00 -0400 Received: by mail-it0-f50.google.com with SMTP id p7-v6so2126435itf.5; Mon, 30 Jul 2018 19:08:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=; b=GqFcANK2Vm52PknU1pIoOMzX6ljyoPSEzi2DslpftW8HUXxFNErdLi0paCuckrl5B2 JPTEWIvRVeWxIacs9jRzRnG+4+J5AgYR47gaCZZoDjgglLq/pGIB0vpVDBUgqHHTA4L9 XAL9q9x3Z+qRfvFyVvuEVDAvgS9wNCzCtCpa+NfhjrBHtjAzlM7u6BLWkNFTnsfzOkzW ULNfs39OEOoSl/lEKNewLQMbI8FQ4SUeqfiZ0BvZGx29t+9SEH8siZWSCg4gdRpd5pxm FUS9d3IbXisWDBSV2q4rGHracBXm3aw++SdD/ihB765w/b0avh4D6Jl5t5d9m+fhF0Du CvPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=; b=IfZTQCBXH2P4HKiTaJbUxqIMspGZMrlaA5JugKX6sdgS9kQ7z+LCpVN0G6GIAGOohF epud/kqdFZpb/Y5fkhAjOVOnlKxDW1Li4Uspy674EiRPMdrbHY/VvaFHWj9h70/PvP1X nkBnYih5ijlb5Mtm8Bvkia0t6m2wYjyN9ulLJNVThWMijXJMDZo7ST53kakZEuT7oS7T iaKgrMlD5tHBx8hxZGk8nP0m8jGHcsJ3m8WgYwFhpLMbhYNImCGrPd+X1scUVZHOzFsn 5Qw98l46/Na8mpUNJbf4eCWNkplNSxluXYsuBO1uJabBROgfTFq+dr21iZ0e90UDq2yW pkEQ== X-Gm-Message-State: AOUpUlHyDkTtO9mO7swKZsfflDXTAEbhEeQNHl/TkbNKVUVKKCY59GfZ mbypH5W9B0agYbyr8vgTmYousl0c X-Google-Smtp-Source: AAOMgpfbsqCRFb2GY97HLWwibCfX12rzF6vpYI6CZUFhIsAW5zL1jl98O9UkwoVgqpVdi/KVoZtttA== X-Received: by 2002:a02:f02:: with SMTP id h2-v6mr18868276jad.24.1533002930521; Mon, 30 Jul 2018 19:08:50 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id x73-v6sm648293ita.30.2018.07.30.19.08.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 30 Jul 2018 19:08:49 -0700 (PDT) From: Noam Postavsky To: Lars Ingebrigtsen Subject: Re: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly References: <8637jp64ow.fsf@realize.ch> <874lkc6ylk.fsf@mouse.gnus.org> Date: Mon, 30 Jul 2018 22:08:48 -0400 In-Reply-To: <874lkc6ylk.fsf@mouse.gnus.org> (Lars Ingebrigtsen's message of "Sun, 15 Apr 2018 21:47:35 +0200") Message-ID: <87pnz417in.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control Cc: 24757@debbugs.gnu.org, Alain Schneble X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) fixed 24757 26.1 unarchive 29282 forcemerge 29282 24757 quit Lars Ingebrigtsen writes: > Alain Schneble writes: >> - The visited cookies file should now contain two cookie entries: >> ("en.wikipedia.org" >> [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t] >> [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]) >> => The second cookie entry is not expected. > > I'm unable to reproduce this now, and I seem to vaguely remember this > being fixed a while ago? Are you still seeing this, Alan? As far as I can tell, this was fixed along with Bug#29282 in 26.1. From unknown Sat Jun 21 03:30:36 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 28 Aug 2018 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator