/src/curl/lib/cookie.h

Source (jump to first uncovered line)
#ifndef HEADER_CURL_COOKIE_H
#define HEADER_CURL_COOKIE_H
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
#include "curl_setup.h"

#include <curl/curl.h>

#include "llist.h"

struct Cookie {
  struct Curl_llist_node node; /* for the main cookie list */
  struct Curl_llist_node getnode; /* for getlist */
  char *name;         /* <this> = value */
  char *value;        /* name = <this> */
  char *path;         /* path = <this> which is in Set-Cookie: */
  char *spath;        /* sanitized cookie path */
  char *domain;       /* domain = <this> */
  curl_off_t expires; /* expires = <this> */
  unsigned int creationtime; /* time when the cookie was written */
  BIT(tailmatch);     /* tail-match the domain name */
  BIT(secure);        /* the 'secure' keyword was used */
  BIT(livecookie);    /* updated from a server, not a stored file */
  BIT(httponly);      /* the httponly directive is present */
  BIT(prefix_secure); /* secure prefix is set */
  BIT(prefix_host);   /* host prefix is set */
};

/*
 * Available cookie prefixes, as defined in
 * draft-ietf-httpbis-rfc6265bis-02
 */
#define COOKIE_PREFIX__SECURE (1<<0)
#define COOKIE_PREFIX__HOST (1<<1)

#define COOKIE_HASH_SIZE 63

struct CookieInfo {
  /* linked lists of cookies we know of */
  struct Curl_llist cookielist[COOKIE_HASH_SIZE];
  curl_off_t next_expiration; /* the next time at which expiration happens */
  unsigned int numcookies;  /* number of cookies in the "jar" */
  unsigned int lastct;      /* last creation-time used in the jar */
  BIT(running);    /* state info, for cookie adding information */
  BIT(newsession); /* new session, discard session cookies on load */
};

/* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
   "general-use user agents SHOULD provide each of the following minimum
   capabilities":

   - At least 4096 bytes per cookie (as measured by the sum of the length of
     the cookie's name, value, and attributes).
   In the 6265bis draft document section 5.4 it is phrased even stronger: "If
   the sum of the lengths of the name string and the value string is more than
   4096 octets, abort these steps and ignore the set-cookie-string entirely."
*/

/** Limits for INCOMING cookies **/

/* The longest we allow a line to be when reading a cookie from an HTTP header
   or from a cookie jar */
#define MAX_COOKIE_LINE 5000

/* Maximum length of an incoming cookie name or content we deal with. Longer
   cookies are ignored. */
#define MAX_NAME 4096

/* Maximum number of Set-Cookie: lines accepted in a single response. If more
   such header lines are received, they are ignored. This value must be less
   than 256 since an unsigned char is used to count. */
#define MAX_SET_COOKIE_AMOUNT 50

/** Limits for OUTGOING cookies **/

/* Maximum size for an outgoing cookie line libcurl will use in an http
   request. This is the default maximum length used in some versions of Apache
   httpd. */
#define MAX_COOKIE_HEADER_LEN 8190

/* Maximum number of cookies libcurl will send in a single request, even if
   there might be more cookies that match. One reason to cap the number is to
   keep the maximum HTTP request within the maximum allowed size. */
#define MAX_COOKIE_SEND_AMOUNT 150

struct Curl_easy;
/*
 * Add a cookie to the internal list of cookies. The domain and path arguments
 * are only used if the header boolean is TRUE.
 */

struct Cookie *Curl_cookie_add(struct Curl_easy *data,
                               struct CookieInfo *c, bool header,
                               bool noexpiry, const char *lineptr,
                               const char *domain, const char *path,
                               bool secure);

int Curl_cookie_getlist(struct Curl_easy *data,
                        struct CookieInfo *c, const char *host,
                        const char *path, bool secure,
                        struct Curl_llist *list);
void Curl_cookie_clearall(struct CookieInfo *cookies);
void Curl_cookie_clearsess(struct CookieInfo *cookies);

#if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES)
#define Curl_cookie_list(x) NULL
#define Curl_cookie_loadfiles(x) Curl_nop_stmt
#define Curl_cookie_init(x,y,z,w) NULL
#define Curl_cookie_cleanup(x) Curl_nop_stmt
#define Curl_flush_cookies(x,y) Curl_nop_stmt
#else
void Curl_flush_cookies(struct Curl_easy *data, bool cleanup);
void Curl_cookie_cleanup(struct CookieInfo *c);
struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
                                    const char *file, struct CookieInfo *inc,
                                    bool newsession);
struct curl_slist *Curl_cookie_list(struct Curl_easy *data);
void Curl_cookie_loadfiles(struct Curl_easy *data);
#endif

#endif /* HEADER_CURL_COOKIE_H */

Coverage Report

Created: 2025-07-12 06:28

Line	Count	Source (jump to first uncovered line)
1		#ifndef HEADER_CURL_COOKIE_H
2		#define HEADER_CURL_COOKIE_H
3		/***************************************************************************
4		* _ _ ____ _
5		* Project ___\| \| \| \| _ \\| \|
6		* / __\| \| \| \| \|_) \| \|
7		* \| (__\| \|_\| \| _ <\| \|___
8		* \___\|\___/\|_\| \_\_____\|
9		*
10		* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
11		*
12		* This software is licensed as described in the file COPYING, which
13		* you should have received as part of this distribution. The terms
14		* are also available at https://curl.se/docs/copyright.html.
15		*
16		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
17		* copies of the Software, and permit persons to whom the Software is
18		* furnished to do so, under the terms of the COPYING file.
19		*
20		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21		* KIND, either express or implied.
22		*
23		* SPDX-License-Identifier: curl
24		*
25		***************************************************************************/
26		#include "curl_setup.h"
27
28		#include <curl/curl.h>
29
30		#include "llist.h"
31
32		struct Cookie {
33		struct Curl_llist_node node; /* for the main cookie list */
34		struct Curl_llist_node getnode; /* for getlist */
35		char name; / <this> = value */
36		char value; / name = <this> */
37		char path; / path = <this> which is in Set-Cookie: */
38		char spath; / sanitized cookie path */
39		char domain; / domain = <this> */
40		curl_off_t expires; /* expires = <this> */
41		unsigned int creationtime; /* time when the cookie was written */
42		BIT(tailmatch); /* tail-match the domain name */
43		BIT(secure); /* the 'secure' keyword was used */
44		BIT(livecookie); /* updated from a server, not a stored file */
45		BIT(httponly); /* the httponly directive is present */
46		BIT(prefix_secure); /* secure prefix is set */
47		BIT(prefix_host); /* host prefix is set */
48		};
49
50		/*
51		* Available cookie prefixes, as defined in
52		* draft-ietf-httpbis-rfc6265bis-02
53		*/
54		#define COOKIE_PREFIX__SECURE (1<<0)
55		#define COOKIE_PREFIX__HOST (1<<1)
56
57	850k	#define COOKIE_HASH_SIZE 63
58
59		struct CookieInfo {
60		/* linked lists of cookies we know of */
61		struct Curl_llist cookielist[COOKIE_HASH_SIZE];
62		curl_off_t next_expiration; /* the next time at which expiration happens */
63		unsigned int numcookies; /* number of cookies in the "jar" */
64		unsigned int lastct; /* last creation-time used in the jar */
65		BIT(running); /* state info, for cookie adding information */
66		BIT(newsession); /* new session, discard session cookies on load */
67		};
68
69		/* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
70		"general-use user agents SHOULD provide each of the following minimum
71		capabilities":
72
73		- At least 4096 bytes per cookie (as measured by the sum of the length of
74		the cookie's name, value, and attributes).
75		In the 6265bis draft document section 5.4 it is phrased even stronger: "If
76		the sum of the lengths of the name string and the value string is more than
77		4096 octets, abort these steps and ignore the set-cookie-string entirely."
78		*/
79
80		/ Limits for INCOMING cookies /
81
82		/* The longest we allow a line to be when reading a cookie from an HTTP header
83		or from a cookie jar */
84	1.24k	#define MAX_COOKIE_LINE 5000
85
86		/* Maximum length of an incoming cookie name or content we deal with. Longer
87		cookies are ignored. */
88	70.2k	#define MAX_NAME 4096
89
90		/* Maximum number of Set-Cookie: lines accepted in a single response. If more
91		such header lines are received, they are ignored. This value must be less
92		than 256 since an unsigned char is used to count. */
93	1.79k	#define MAX_SET_COOKIE_AMOUNT 50
94
95		/ Limits for OUTGOING cookies /
96
97		/* Maximum size for an outgoing cookie line libcurl will use in an http
98		request. This is the default maximum length used in some versions of Apache
99		httpd. */
100	0	#define MAX_COOKIE_HEADER_LEN 8190
101
102		/* Maximum number of cookies libcurl will send in a single request, even if
103		there might be more cookies that match. One reason to cap the number is to
104		keep the maximum HTTP request within the maximum allowed size. */
105	0	#define MAX_COOKIE_SEND_AMOUNT 150
106
107		struct Curl_easy;
108		/*
109		* Add a cookie to the internal list of cookies. The domain and path arguments
110		* are only used if the header boolean is TRUE.
111		*/
112
113		struct Cookie Curl_cookie_add(struct Curl_easy data,
114		struct CookieInfo *c, bool header,
115		bool noexpiry, const char *lineptr,
116		const char domain, const char path,
117		bool secure);
118
119		int Curl_cookie_getlist(struct Curl_easy *data,
120		struct CookieInfo c, const char host,
121		const char *path, bool secure,
122		struct Curl_llist *list);
123		void Curl_cookie_clearall(struct CookieInfo *cookies);
124		void Curl_cookie_clearsess(struct CookieInfo *cookies);
125
126		#if defined(CURL_DISABLE_HTTP) \|\| defined(CURL_DISABLE_COOKIES)
127		#define Curl_cookie_list(x) NULL
128		#define Curl_cookie_loadfiles(x) Curl_nop_stmt
129		#define Curl_cookie_init(x,y,z,w) NULL
130		#define Curl_cookie_cleanup(x) Curl_nop_stmt
131		#define Curl_flush_cookies(x,y) Curl_nop_stmt
132		#else
133		void Curl_flush_cookies(struct Curl_easy *data, bool cleanup);
134		void Curl_cookie_cleanup(struct CookieInfo *c);
135		struct CookieInfo Curl_cookie_init(struct Curl_easy data,
136		const char file, struct CookieInfo inc,
137		bool newsession);
138		struct curl_slist Curl_cookie_list(struct Curl_easy data);
139		void Curl_cookie_loadfiles(struct Curl_easy *data);
140		#endif
141
142		#endif /* HEADER_CURL_COOKIE_H */