Fix cookie handling (bug#29282)

* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Regard a Set-Cookie header as it contains a single cookie; prefer Max-Age to Expires and convert it to Expires; remove support for old time string styles (bug#29282).
author: Katsumi Yamaoka 2017-11-13 23:56:26 +0000
committer: Katsumi Yamaoka 2017-11-13 23:56:26 +0000
commit: caa39f495c0783dac2d5701100db83ea10f126c0 (patch)
tree: 01e684afdf4fbc64a4de70cf8390d47e208e2ae2
parent: 93304e31159ac4e123b26349429cdce0fbd23685 (diff)
download: emacs-caa39f495c0783dac2d5701100db83ea10f126c0.tar.gz
emacs-caa39f495c0783dac2d5701100db83ea10f126c0.zip
1 files changed, 13 insertions, 40 deletions
diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index d922033d820..27c8dd70e09 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -241,7 +241,7 @@ telling Microsoft that."
 (defun url-cookie-handle-set-cookie (str)
  (setq url-cookies-changed-since-last-save t)
-  (let* ((args (url-parse-args str t))
+  (let* ((args (nreverse (url-parse-args str t)))
         (case-fold-search t)
         (secure (and (assoc-string "secure" args t) t))
         (domain (or (cdr-safe (assoc-string "domain" args t))
@@ -249,44 +249,16 @@ telling Microsoft that."
         (current-url (url-view-url t))
         (trusted url-cookie-trusted-urls)
         (untrusted url-cookie-untrusted-urls)
-         (expires (cdr-safe (assoc-string "expires" args t)))
+         (max-age (cdr-safe (assoc-string "max-age" args t)))
         (localpart (or (cdr-safe (assoc-string "path" args t))
                        (file-name-directory
                         (url-filename url-current-object))))
-         (rest nil))
+         (expires nil))
-    (dolist (this args)
+    (if (and max-age (string-match "\\`-?[0-9]+\\'" max-age))
-      (or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
+        (setq expires (format-time-string "%a %b %d %H:%M:%S %Y GMT"
-          (setq rest (cons this rest))))
+                                          (time-add nil (read max-age))
+                                          t))
-    ;; Sometimes we get dates that the timezone package cannot handle very
+      (setq expires (cdr-safe (assoc-string "expires" args t))))
-    ;; gracefully - take care of this here, instead of in url-cookie-expired-p
-    ;; to speed things up.
-    (and expires
-         (string-match
-          (concat "^[^,]+, +\\(..\\)-\\(...\\)-\\(..\\) +"
-                  "\\(..:..:..\\) +\\[*\\([^]]+\\)\\]*$")
-          expires)
-         (setq expires (concat (match-string 1 expires) " "
-                               (match-string 2 expires) " "
-                               (match-string 3 expires) " "
-                               (match-string 4 expires) " ["
-                               (match-string 5 expires) "]")))
-    ;; This one is for older Emacs/XEmacs variants that don't
-    ;; understand this format without tenths of a second in it.
-    ;; Wednesday, 30-Dec-2037 16:00:00 GMT
-    ;;       - vs -
-    ;; Wednesday, 30-Dec-2037 16:00:00.00 GMT
-    (and expires
-         (string-match
-          "\\([0-9]+\\)-\\([A-Za-z]+\\)-\\([0-9]+\\)[ \t]+\\([0-9]+:[0-9]+:[0-9]+\\)\\(\\.[0-9]+\\)*[ \t]+\\([-+a-zA-Z0-9]+\\)"
-          expires)
-         (setq expires (concat (match-string 1 expires) "-"     ; day
-                               (match-string 2 expires) "-"     ; month
-                               (match-string 3 expires) " "     ; year
-                               (match-string 4 expires) ".00 " ; hour:minutes:seconds
-                               (match-string 6 expires)))) ":" ; timezone
    (while (consp trusted)
      (if (string-match (car trusted) current-url)
          (setq trusted (- (match-end 0) (match-beginning 0)))
@@ -310,8 +282,9 @@ telling Microsoft that."
           (not trusted)
           (save-window-excursion
             (with-output-to-temp-buffer "*Cookie Warning*"
-               (dolist (x rest)
+               (princ (format "%s=\"%s\"\n" (caar args) (cdar args)))
-                 (princ (format "%s - %s" (car x) (cdr x)))))
+               (dolist (x (cdr args))
+                 (princ (format "  %s=\"%s\"\n" (car x) (cdr x)))))
             (prog1
                 (not (funcall url-confirmation-func
                               (format "Allow %s to set these cookies? "
@@ -322,8 +295,8 @@ telling Microsoft that."
      nil)
     ((url-cookie-host-can-set-p (url-host url-current-object) domain)
      ;; Cookie is accepted by the user, and passes our security checks.
-      (dolist (cur rest)
+      (url-cookie-store (caar args) (cdar args)
-        (url-cookie-store (car cur) (cdr cur) expires domain localpart secure)))
+                        expires domain localpart secure))
     (t
      (url-lazy-message "%s tried to set a cookie for domain %s - rejected."
                        (url-host url-current-object) domain)))))
author	Katsumi Yamaoka	2017-11-13 23:56:26 +0000
committer	Katsumi Yamaoka	2017-11-13 23:56:26 +0000
commit	caa39f495c0783dac2d5701100db83ea10f126c0 (patch)
tree	01e684afdf4fbc64a4de70cf8390d47e208e2ae2
parent	93304e31159ac4e123b26349429cdce0fbd23685 (diff)
download	emacs-caa39f495c0783dac2d5701100db83ea10f126c0.tar.gz emacs-caa39f495c0783dac2d5701100db83ea10f126c0.zip

diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el index d922033d820..27c8dd70e09 100644 --- a/lisp/url/url-cookie.el +++ b/lisp/url/url-cookie.el
@@ -241,7 +241,7 @@ telling Microsoft that."
241		241
242	(defun url-cookie-handle-set-cookie (str)	242	(defun url-cookie-handle-set-cookie (str)
243	(setq url-cookies-changed-since-last-save t)	243	(setq url-cookies-changed-since-last-save t)
244	(let* ((args (url-parse-args str t))	244	(let* ((args (nreverse (url-parse-args str t)))
245	(case-fold-search t)	245	(case-fold-search t)
246	(secure (and (assoc-string "secure" args t) t))	246	(secure (and (assoc-string "secure" args t) t))
247	(domain (or (cdr-safe (assoc-string "domain" args t))	247	(domain (or (cdr-safe (assoc-string "domain" args t))
@@ -249,44 +249,16 @@ telling Microsoft that."
249	(current-url (url-view-url t))	249	(current-url (url-view-url t))
250	(trusted url-cookie-trusted-urls)	250	(trusted url-cookie-trusted-urls)
251	(untrusted url-cookie-untrusted-urls)	251	(untrusted url-cookie-untrusted-urls)
252	(expires (cdr-safe (assoc-string "expires" args t)))	252	(max-age (cdr-safe (assoc-string "max-age" args t)))
253	(localpart (or (cdr-safe (assoc-string "path" args t))	253	(localpart (or (cdr-safe (assoc-string "path" args t))
254	(file-name-directory	254	(file-name-directory
255	(url-filename url-current-object))))	255	(url-filename url-current-object))))
256	(rest nil))	256	(expires nil))
257	(dolist (this args)	257	(if (and max-age (string-match "\\`-?[0-9]+\\'" max-age))
258	(or (member (downcase (car this)) '("secure" "domain" "expires" "path"))	258	(setq expires (format-time-string "%a %b %d %H:%M:%S %Y GMT"
259	(setq rest (cons this rest))))	259	(time-add nil (read max-age))
260		260	t))
261	;; Sometimes we get dates that the timezone package cannot handle very	261	(setq expires (cdr-safe (assoc-string "expires" args t))))
262	;; gracefully - take care of this here, instead of in url-cookie-expired-p
263	;; to speed things up.
264	(and expires
265	(string-match
266	(concat "^[^,]+, +\\(..\\)-\\(...\\)-\\(..\\) +"
267	"\\(..:..:..\\) +\\[\\([^]]+\\)\\]$")
268	expires)
269	(setq expires (concat (match-string 1 expires) " "
270	(match-string 2 expires) " "
271	(match-string 3 expires) " "
272	(match-string 4 expires) " ["
273	(match-string 5 expires) "]")))
274
275	;; This one is for older Emacs/XEmacs variants that don't
276	;; understand this format without tenths of a second in it.
277	;; Wednesday, 30-Dec-2037 16:00:00 GMT
278	;; - vs -
279	;; Wednesday, 30-Dec-2037 16:00:00.00 GMT
280	(and expires
281	(string-match
282	"\\([0-9]+\\)-\\([A-Za-z]+\\)-\\([0-9]+\\)[ \t]+\\([0-9]+:[0-9]+:[0-9]+\\)\\(\\.[0-9]+\\)*[ \t]+\\([-+a-zA-Z0-9]+\\)"
283	expires)
284	(setq expires (concat (match-string 1 expires) "-" ; day
285	(match-string 2 expires) "-" ; month
286	(match-string 3 expires) " " ; year
287	(match-string 4 expires) ".00 " ; hour:minutes:seconds
288	(match-string 6 expires)))) ":" ; timezone
289
290	(while (consp trusted)	262	(while (consp trusted)
291	(if (string-match (car trusted) current-url)	263	(if (string-match (car trusted) current-url)
292	(setq trusted (- (match-end 0) (match-beginning 0)))	264	(setq trusted (- (match-end 0) (match-beginning 0)))
@@ -310,8 +282,9 @@ telling Microsoft that."
310	(not trusted)	282	(not trusted)
311	(save-window-excursion	283	(save-window-excursion
312	(with-output-to-temp-buffer "Cookie Warning"	284	(with-output-to-temp-buffer "Cookie Warning"
313	(dolist (x rest)	285	(princ (format "%s=\"%s\"\n" (caar args) (cdar args)))
314	(princ (format "%s - %s" (car x) (cdr x)))))	286	(dolist (x (cdr args))
		287	(princ (format " %s=\"%s\"\n" (car x) (cdr x)))))
315	(prog1	288	(prog1
316	(not (funcall url-confirmation-func	289	(not (funcall url-confirmation-func
317	(format "Allow %s to set these cookies? "	290	(format "Allow %s to set these cookies? "
@@ -322,8 +295,8 @@ telling Microsoft that."
322	nil)	295	nil)
323	((url-cookie-host-can-set-p (url-host url-current-object) domain)	296	((url-cookie-host-can-set-p (url-host url-current-object) domain)
324	;; Cookie is accepted by the user, and passes our security checks.	297	;; Cookie is accepted by the user, and passes our security checks.
325	(dolist (cur rest)	298	(url-cookie-store (caar args) (cdar args)
326	(url-cookie-store (car cur) (cdr cur) expires domain localpart secure)))	299	expires domain localpart secure))
327	(t	300	(t
328	(url-lazy-message "%s tried to set a cookie for domain %s - rejected."	301	(url-lazy-message "%s tried to set a cookie for domain %s - rejected."
329	(url-host url-current-object) domain)))))	302	(url-host url-current-object) domain)))))