From unknown Sat Jun 21 05:13:26 2025 X-Loop: help-debbugs@gnu.org Subject: bug#29282: 26.0.90; url-cookie.el: a cookie handling bug Resent-From: Katsumi Yamaoka Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 13 Nov 2017 08:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 29282 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 29282@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.151056265430886 (code B ref -1); Mon, 13 Nov 2017 08:45:01 +0000 Received: (at submit) by debbugs.gnu.org; 13 Nov 2017 08:44:14 +0000 Received: from localhost ([127.0.0.1]:37652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALl-000826-S7 for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:14 -0500 Received: from eggs.gnu.org ([208.118.235.92]:34716) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALj-00081s-Lk for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALd-0007Gr-5X for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50, T_TVD_MIME_NO_HEADERS autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36657) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALd-0007Gl-2T for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53920) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eEALb-0002Qc-N3 for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALW-0007AP-OK for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:03 -0500 Received: from mail-hampton.hostforweb.net ([205.234.186.191]:34869 helo=hampton.hostforweb.net) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALW-00079w-JI for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:43:58 -0500 Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000 helo=localhost) by hampton.hostforweb.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eEALS-002KjH-5x; Mon, 13 Nov 2017 02:43:55 -0600 Date: Mon, 13 Nov 2017 17:43:52 +0900 Message-ID: From: Katsumi Yamaoka Organization: Emacsen advocacy group X-Face: #kKnN,xUnmKia.'[pp`; Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&( User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (i686-pc-cygwin) Cancel-Lock: sha1:A6FzgOBhqhbRR0vERuPa/LKfbO4= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hampton.hostforweb.net X-AntiAbuse: Original Domain - gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jpl.org X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id: yamaoka/from_h X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org X-Source: X-Source-Args: X-Source-Dir: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (barebone) [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Hi, A cookie is fed from a web site via the Set-Cookie header like this: Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31 GMT; Path=/; HTTPOnly In this case, NAME and VALUE appearing in the beginning is the cookie, and the others are its attributions. However, url-cookie recognizes Max-Age, HTTPOnly, etc. as individual cookies, and sends them to the web site when a user posts forms in the page. This will cause "500 Internal Server Error" in some web site[1]. In additin, although Max-Age should be preferred to Expires[2], url-cookie doesn't process it. A patch is below. [1] Try visiting and in turn using eww. To try the patched url-cookie.el, you have to delete those bogus cookies in advance. An easy way to do that is to shutdown Emacs and to delete the "~/.emacs.d/url/cookies" file. [2] * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Regard a Set-Cookie header as it contains a single cookie; prefer Max-Age to Expires and convert it to Expires; remove support for old time string styles. --=-=-= Content-Type: text/x-patch Content-Disposition: inline --- url-cookie.el~ 2017-11-09 22:09:37.790145300 +0000 +++ url-cookie.el 2017-11-13 08:41:08.487776400 +0000 @@ -249,44 +249,20 @@ (current-url (url-view-url t)) (trusted url-cookie-trusted-urls) (untrusted url-cookie-untrusted-urls) - (expires (cdr-safe (assoc-string "expires" args t))) + (max-age (cdr-safe (assoc-string "max-age" args t))) (localpart (or (cdr-safe (assoc-string "path" args t)) (file-name-directory (url-filename url-current-object)))) - (rest nil)) + (expires nil) (rest nil)) (dolist (this args) - (or (member (downcase (car this)) '("secure" "domain" "expires" "path")) + (or (member (downcase (car this)) + '("secure" "domain" "max-age" "expires" "path")) (setq rest (cons this rest)))) - - ;; Sometimes we get dates that the timezone package cannot handle very - ;; gracefully - take care of this here, instead of in url-cookie-expired-p - ;; to speed things up. - (and expires - (string-match - (concat "^[^,]+, +\\(..\\)-\\(...\\)-\\(..\\) +" - "\\(..:..:..\\) +\\[*\\([^]]+\\)\\]*$") - expires) - (setq expires (concat (match-string 1 expires) " " - (match-string 2 expires) " " - (match-string 3 expires) " " - (match-string 4 expires) " [" - (match-string 5 expires) "]"))) - - ;; This one is for older Emacs/XEmacs variants that don't - ;; understand this format without tenths of a second in it. - ;; Wednesday, 30-Dec-2037 16:00:00 GMT - ;; - vs - - ;; Wednesday, 30-Dec-2037 16:00:00.00 GMT - (and expires - (string-match - "\\([0-9]+\\)-\\([A-Za-z]+\\)-\\([0-9]+\\)[ \t]+\\([0-9]+:[0-9]+:[0-9]+\\)\\(\\.[0-9]+\\)*[ \t]+\\([-+a-zA-Z0-9]+\\)" - expires) - (setq expires (concat (match-string 1 expires) "-" ; day - (match-string 2 expires) "-" ; month - (match-string 3 expires) " " ; year - (match-string 4 expires) ".00 " ; hour:minutes:seconds - (match-string 6 expires)))) ":" ; timezone - + (if (and max-age (string-match "\\`-?[0-9]+\\'" max-age)) + (setq expires (format-time-string "%a %b %d %H:%M:%S %Y GMT" + (time-add nil (read max-age)) + t)) + (setq expires (cdr-safe (assoc-string "expires" args t)))) (while (consp trusted) (if (string-match (car trusted) current-url) (setq trusted (- (match-end 0) (match-beginning 0))) @@ -322,8 +298,8 @@ nil) ((url-cookie-host-can-set-p (url-host url-current-object) domain) ;; Cookie is accepted by the user, and passes our security checks. - (dolist (cur rest) - (url-cookie-store (car cur) (cdr cur) expires domain localpart secure))) + (url-cookie-store (caar rest) (cdar rest) + expires domain localpart secure)) (t (url-lazy-message "%s tried to set a cookie for domain %s - rejected." (url-host url-current-object) domain))))) --=-=-=-- From unknown Sat Jun 21 05:13:26 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Katsumi Yamaoka Subject: bug#29282: closed (Re: bug#29282: 26.0.90; url-cookie.el: a cookie handling bug) Message-ID: References: X-Gnu-PR-Message: they-closed 29282 X-Gnu-PR-Package: emacs Reply-To: 29282@debbugs.gnu.org Date: Mon, 13 Nov 2017 23:59:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1510617542-21862-1" This is a multi-part message in MIME format... ------------=_1510617542-21862-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #29282: 26.0.90; url-cookie.el: a cookie handling bug which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 29282@debbugs.gnu.org. --=20 29282: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D29282 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1510617542-21862-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 29282-done) by debbugs.gnu.org; 13 Nov 2017 23:58:02 +0000 Received: from localhost ([127.0.0.1]:39090 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEOc6-0005f8-Ao for submit@debbugs.gnu.org; Mon, 13 Nov 2017 18:58:02 -0500 Received: from mail-hampton.hostforweb.net ([205.234.186.191]:47078 helo=hampton.hostforweb.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEOc4-0005eo-GP for 29282-done@debbugs.gnu.org; Mon, 13 Nov 2017 18:58:01 -0500 Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000 helo=localhost) by hampton.hostforweb.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eEObw-0020I4-R7 for 29282-done@debbugs.gnu.org; Mon, 13 Nov 2017 17:57:53 -0600 Date: Tue, 14 Nov 2017 08:57:51 +0900 Message-ID: From: Katsumi Yamaoka To: 29282-done@debbugs.gnu.org Subject: Re: bug#29282: 26.0.90; url-cookie.el: a cookie handling bug References: Organization: Emacsen advocacy group X-Face: #kKnN,xUnmKia.'[pp`; Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&( User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (i686-pc-cygwin) Cancel-Lock: sha1:VeVpLVV4abdwfieFPQmpCjoB3T8= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hampton.hostforweb.net X-AntiAbuse: Original Domain - debbugs.gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jpl.org X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id: yamaoka/from_h X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org X-Source: X-Source-Args: X-Source-Dir: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29282-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) I've installed the patch (slightly improved) in emacs-26. Eww and url package users may want to remove old cookies store. > An easy way to do that is to shutdown Emacs and to delete > the "~/.emacs.d/url/cookies" file. Thanks. On Mon, 13 Nov 2017 17:43:52 +0900, Katsumi Yamaoka wrote: > Hi, > A cookie is fed from a web site via the Set-Cookie header like > this: > Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31 GMT; Path=/; HTTPOnly > In this case, NAME and VALUE appearing in the beginning is the > cookie, and the others are its attributions. However, url-cookie > recognizes Max-Age, HTTPOnly, etc. as individual cookies, and > sends them to the web site when a user posts forms in the page. > This will cause "500 Internal Server Error" in some web site[1]. > In additin, although Max-Age should be preferred to Expires[2], > url-cookie doesn't process it. > A patch is below. > [1] Try visiting and > > in turn using eww. > To try the patched url-cookie.el, you have to delete those bogus > cookies in advance. An easy way to do that is to shutdown Emacs > and to delete the "~/.emacs.d/url/cookies" file. > [2] > * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): > Regard a Set-Cookie header as it contains a single cookie; > prefer Max-Age to Expires and convert it to Expires; > remove support for old time string styles. [...] ------------=_1510617542-21862-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 13 Nov 2017 08:44:14 +0000 Received: from localhost ([127.0.0.1]:37652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALl-000826-S7 for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:14 -0500 Received: from eggs.gnu.org ([208.118.235.92]:34716) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEALj-00081s-Lk for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALd-0007Gr-5X for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50, T_TVD_MIME_NO_HEADERS autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36657) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALd-0007Gl-2T for submit@debbugs.gnu.org; Mon, 13 Nov 2017 03:44:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53920) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eEALb-0002Qc-N3 for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEALW-0007AP-OK for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:44:03 -0500 Received: from mail-hampton.hostforweb.net ([205.234.186.191]:34869 helo=hampton.hostforweb.net) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eEALW-00079w-JI for bug-gnu-emacs@gnu.org; Mon, 13 Nov 2017 03:43:58 -0500 Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000 helo=localhost) by hampton.hostforweb.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eEALS-002KjH-5x; Mon, 13 Nov 2017 02:43:55 -0600 Date: Mon, 13 Nov 2017 17:43:52 +0900 Message-ID: From: Katsumi Yamaoka To: bug-gnu-emacs@gnu.org Subject: 26.0.90; url-cookie.el: a cookie handling bug Organization: Emacsen advocacy group X-Face: #kKnN,xUnmKia.'[pp`; Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&( User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (i686-pc-cygwin) Cancel-Lock: sha1:A6FzgOBhqhbRR0vERuPa/LKfbO4= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hampton.hostforweb.net X-AntiAbuse: Original Domain - gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - jpl.org X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id: yamaoka/from_h X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org X-Source: X-Source-Args: X-Source-Dir: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (barebone) [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Hi, A cookie is fed from a web site via the Set-Cookie header like this: Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31 GMT; Path=/; HTTPOnly In this case, NAME and VALUE appearing in the beginning is the cookie, and the others are its attributions. However, url-cookie recognizes Max-Age, HTTPOnly, etc. as individual cookies, and sends them to the web site when a user posts forms in the page. This will cause "500 Internal Server Error" in some web site[1]. In additin, although Max-Age should be preferred to Expires[2], url-cookie doesn't process it. A patch is below. [1] Try visiting and in turn using eww. To try the patched url-cookie.el, you have to delete those bogus cookies in advance. An easy way to do that is to shutdown Emacs and to delete the "~/.emacs.d/url/cookies" file. [2] * lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Regard a Set-Cookie header as it contains a single cookie; prefer Max-Age to Expires and convert it to Expires; remove support for old time string styles. --=-=-= Content-Type: text/x-patch Content-Disposition: inline --- url-cookie.el~ 2017-11-09 22:09:37.790145300 +0000 +++ url-cookie.el 2017-11-13 08:41:08.487776400 +0000 @@ -249,44 +249,20 @@ (current-url (url-view-url t)) (trusted url-cookie-trusted-urls) (untrusted url-cookie-untrusted-urls) - (expires (cdr-safe (assoc-string "expires" args t))) + (max-age (cdr-safe (assoc-string "max-age" args t))) (localpart (or (cdr-safe (assoc-string "path" args t)) (file-name-directory (url-filename url-current-object)))) - (rest nil)) + (expires nil) (rest nil)) (dolist (this args) - (or (member (downcase (car this)) '("secure" "domain" "expires" "path")) + (or (member (downcase (car this)) + '("secure" "domain" "max-age" "expires" "path")) (setq rest (cons this rest)))) - - ;; Sometimes we get dates that the timezone package cannot handle very - ;; gracefully - take care of this here, instead of in url-cookie-expired-p - ;; to speed things up. - (and expires - (string-match - (concat "^[^,]+, +\\(..\\)-\\(...\\)-\\(..\\) +" - "\\(..:..:..\\) +\\[*\\([^]]+\\)\\]*$") - expires) - (setq expires (concat (match-string 1 expires) " " - (match-string 2 expires) " " - (match-string 3 expires) " " - (match-string 4 expires) " [" - (match-string 5 expires) "]"))) - - ;; This one is for older Emacs/XEmacs variants that don't - ;; understand this format without tenths of a second in it. - ;; Wednesday, 30-Dec-2037 16:00:00 GMT - ;; - vs - - ;; Wednesday, 30-Dec-2037 16:00:00.00 GMT - (and expires - (string-match - "\\([0-9]+\\)-\\([A-Za-z]+\\)-\\([0-9]+\\)[ \t]+\\([0-9]+:[0-9]+:[0-9]+\\)\\(\\.[0-9]+\\)*[ \t]+\\([-+a-zA-Z0-9]+\\)" - expires) - (setq expires (concat (match-string 1 expires) "-" ; day - (match-string 2 expires) "-" ; month - (match-string 3 expires) " " ; year - (match-string 4 expires) ".00 " ; hour:minutes:seconds - (match-string 6 expires)))) ":" ; timezone - + (if (and max-age (string-match "\\`-?[0-9]+\\'" max-age)) + (setq expires (format-time-string "%a %b %d %H:%M:%S %Y GMT" + (time-add nil (read max-age)) + t)) + (setq expires (cdr-safe (assoc-string "expires" args t)))) (while (consp trusted) (if (string-match (car trusted) current-url) (setq trusted (- (match-end 0) (match-beginning 0))) @@ -322,8 +298,8 @@ nil) ((url-cookie-host-can-set-p (url-host url-current-object) domain) ;; Cookie is accepted by the user, and passes our security checks. - (dolist (cur rest) - (url-cookie-store (car cur) (cdr cur) expires domain localpart secure))) + (url-cookie-store (caar rest) (cdar rest) + expires domain localpart secure)) (t (url-lazy-message "%s tried to set a cookie for domain %s - rejected." (url-host url-current-object) domain))))) --=-=-=-- ------------=_1510617542-21862-1-- From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 30 22:09:05 2018 Received: (at control) by debbugs.gnu.org; 31 Jul 2018 02:09:05 +0000 Received: from localhost ([127.0.0.1]:35612 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fkK5t-0000Jq-Te for submit@debbugs.gnu.org; Mon, 30 Jul 2018 22:09:05 -0400 Received: from mail-it0-f50.google.com ([209.85.214.50]:55413) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fkK5o-0000JE-5g; Mon, 30 Jul 2018 22:09:00 -0400 Received: by mail-it0-f50.google.com with SMTP id p7-v6so2126435itf.5; Mon, 30 Jul 2018 19:08:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=; b=GqFcANK2Vm52PknU1pIoOMzX6ljyoPSEzi2DslpftW8HUXxFNErdLi0paCuckrl5B2 JPTEWIvRVeWxIacs9jRzRnG+4+J5AgYR47gaCZZoDjgglLq/pGIB0vpVDBUgqHHTA4L9 XAL9q9x3Z+qRfvFyVvuEVDAvgS9wNCzCtCpa+NfhjrBHtjAzlM7u6BLWkNFTnsfzOkzW ULNfs39OEOoSl/lEKNewLQMbI8FQ4SUeqfiZ0BvZGx29t+9SEH8siZWSCg4gdRpd5pxm FUS9d3IbXisWDBSV2q4rGHracBXm3aw++SdD/ihB765w/b0avh4D6Jl5t5d9m+fhF0Du CvPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=; b=IfZTQCBXH2P4HKiTaJbUxqIMspGZMrlaA5JugKX6sdgS9kQ7z+LCpVN0G6GIAGOohF epud/kqdFZpb/Y5fkhAjOVOnlKxDW1Li4Uspy674EiRPMdrbHY/VvaFHWj9h70/PvP1X nkBnYih5ijlb5Mtm8Bvkia0t6m2wYjyN9ulLJNVThWMijXJMDZo7ST53kakZEuT7oS7T iaKgrMlD5tHBx8hxZGk8nP0m8jGHcsJ3m8WgYwFhpLMbhYNImCGrPd+X1scUVZHOzFsn 5Qw98l46/Na8mpUNJbf4eCWNkplNSxluXYsuBO1uJabBROgfTFq+dr21iZ0e90UDq2yW pkEQ== X-Gm-Message-State: AOUpUlHyDkTtO9mO7swKZsfflDXTAEbhEeQNHl/TkbNKVUVKKCY59GfZ mbypH5W9B0agYbyr8vgTmYousl0c X-Google-Smtp-Source: AAOMgpfbsqCRFb2GY97HLWwibCfX12rzF6vpYI6CZUFhIsAW5zL1jl98O9UkwoVgqpVdi/KVoZtttA== X-Received: by 2002:a02:f02:: with SMTP id h2-v6mr18868276jad.24.1533002930521; Mon, 30 Jul 2018 19:08:50 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id x73-v6sm648293ita.30.2018.07.30.19.08.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 30 Jul 2018 19:08:49 -0700 (PDT) From: Noam Postavsky To: Lars Ingebrigtsen Subject: Re: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly References: <8637jp64ow.fsf@realize.ch> <874lkc6ylk.fsf@mouse.gnus.org> Date: Mon, 30 Jul 2018 22:08:48 -0400 In-Reply-To: <874lkc6ylk.fsf@mouse.gnus.org> (Lars Ingebrigtsen's message of "Sun, 15 Apr 2018 21:47:35 +0200") Message-ID: <87pnz417in.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control Cc: 24757@debbugs.gnu.org, Alain Schneble X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) fixed 24757 26.1 unarchive 29282 forcemerge 29282 24757 quit Lars Ingebrigtsen writes: > Alain Schneble writes: >> - The visited cookies file should now contain two cookie entries: >> ("en.wikipedia.org" >> [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t] >> [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]) >> => The second cookie entry is not expected. > > I'm unable to reproduce this now, and I seem to vaguely remember this > being fixed a while ago? Are you still seeing this, Alan? As far as I can tell, this was fixed along with Bug#29282 in 26.1.