#1221 Problems with cookies and numerical IPv6 addresses

closed-fixed
cookies (5)
5
2013-06-21
2013-05-06
Stefan Neis
No

In testing our application linked with libcurl-7.30.0 we encountered some problems with cookies when using IPv6 addresses directly. Upon inspecting the source code in lib/cookie.c, I (believe I) identified two immediate problems:

  • In Curl_cookie_add, if you're using HTTP header-style, there's a test that the "domain" contains at least two dots. This is of course fine for real "domain names" and I'm unsure if that code is also used to handle IP adresses of servers (e.g. when connecting to say 192.168.18.33 instead of demo.local.net), but if it is used, it "obviously" only works for IPv4 addresses (containing dots) but not for IPv6 addresses (containing colons only).
  • Still in Curl_cookie_add, if you're not using HTTP header-style, there is this nice check:
  /`*` Here's a quick check to eliminate normal HTTP-headers from this `*`/
  if(!firstptr || strchr(firstptr, ':')) {
     free(co);
     return NULL;
  }

This "of course" not only throws HTTP-headers away, but also leads to ignore IPv6 addresses.

The result is that I'm unable to set cookies that should be send to a specific IPv6 host. Using curl_easy_getinfo(.., CURLINFO_COOKIELIST,...), I obtain something like e.g. "#HttpOnly_2001:0db8:85a3:08d3:1319:8a2e:0370:7344\tFALSE\t\tFALSE\t0\tJSESSIONID\t1234", but trying to set it via curl_easy_setopt(..., CURLOPT_COOKIELIST,...) fails (IMHO because of the above mentioned check for colons).

Assuming this gets fixed, there might be another problem waiting in Curl_cookie_getlist, where I don't really know whether or not the host passed in still has the square brackets or not - checking 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 against [2001:0db8:85a3:08d3:1319:8a2e:0370:7344] with Curl_raw_equal wouldn't work, would it.

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2013-05-07
    • labels: --> cookies
    • summary: Problems with cookies and IPv6, up to current version --> Problems with cookies and numerical IPv6 addresses
    • status: open --> open-confirmed
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-21
    • status: open-confirmed --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-21

    Thanks a lot for your detailed and thorough report. I believe I've these problems now in commit 85b9dc80232d1d7. Unfortunately I haven't yet added any test cases that verify this so I'll appreciate if you give this a test and see if it works for you now!

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks