[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#29282: 26.0.90; url-cookie.el: a cookie handling bug
From: |
Katsumi Yamaoka |
Subject: |
bug#29282: 26.0.90; url-cookie.el: a cookie handling bug |
Date: |
Tue, 14 Nov 2017 08:57:51 +0900 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (i686-pc-cygwin) |
I've installed the patch (slightly improved) in emacs-26.
Eww and url package users may want to remove old cookies store.
> An easy way to do that is to shutdown Emacs and to delete
> the "~/.emacs.d/url/cookies" file.
Thanks.
On Mon, 13 Nov 2017 17:43:52 +0900, Katsumi Yamaoka wrote:
> Hi,
> A cookie is fed from a web site via the Set-Cookie header like
> this:
> Set-Cookie: NAME=VALUE; Max-Age=-86400; Expires=Sun, 12 Nov 2017 06:26:31
> GMT; Path=/; HTTPOnly
> In this case, NAME and VALUE appearing in the beginning is the
> cookie, and the others are its attributions. However, url-cookie
> recognizes Max-Age, HTTPOnly, etc. as individual cookies, and
> sends them to the web site when a user posts forms in the page.
> This will cause "500 Internal Server Error" in some web site[1].
> In additin, although Max-Age should be preferred to Expires[2],
> url-cookie doesn't process it.
> A patch is below.
> [1] Try visiting <https://help.openstreetmap.org> and
> <https://help.openstreetmap.org/questions/5356/who-edited-my-map-corrections-and-made-it-all-wrong-again/5357>
> in turn using eww.
> To try the patched url-cookie.el, you have to delete those bogus
> cookies in advance. An easy way to do that is to shutdown Emacs
> and to delete the "~/.emacs.d/url/cookies" file.
> [2] <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie>
> * lisp/url/url-cookie.el (url-cookie-handle-set-cookie):
> Regard a Set-Cookie header as it contains a single cookie;
> prefer Max-Age to Expires and convert it to Expires;
> remove support for old time string styles.
[...]