1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 // Portions of this code based on Mozilla: 6 // (netwerk/cookie/src/nsCookieService.cpp) 7 /* ***** BEGIN LICENSE BLOCK ***** 8 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 9 * 10 * The contents of this file are subject to the Mozilla Public License Version 11 * 1.1 (the "License"); you may not use this file except in compliance with 12 * the License. You may obtain a copy of the License at 13 * http://www.mozilla.org/MPL/ 14 * 15 * Software distributed under the License is distributed on an "AS IS" basis, 16 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 17 * for the specific language governing rights and limitations under the 18 * License. 19 * 20 * The Original Code is mozilla.org code. 21 * 22 * The Initial Developer of the Original Code is 23 * Netscape Communications Corporation. 24 * Portions created by the Initial Developer are Copyright (C) 2003 25 * the Initial Developer. All Rights Reserved. 26 * 27 * Contributor(s): 28 * Daniel Witte (dwitte (at) stanford.edu) 29 * Michiel van Leeuwen (mvl (at) exedo.nl) 30 * 31 * Alternatively, the contents of this file may be used under the terms of 32 * either the GNU General Public License Version 2 or later (the "GPL"), or 33 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 34 * in which case the provisions of the GPL or the LGPL are applicable instead 35 * of those above. If you wish to allow use of your version of this file only 36 * under the terms of either the GPL or the LGPL, and not to allow others to 37 * use your version of this file under the terms of the MPL, indicate your 38 * decision by deleting the provisions above and replace them with the notice 39 * and other provisions required by the GPL or the LGPL. If you do not delete 40 * the provisions above, a recipient may use your version of this file under 41 * the terms of any one of the MPL, the GPL or the LGPL. 42 * 43 * ***** END LICENSE BLOCK ***** */ 44 45 #include "net/cookies/parsed_cookie.h" 46 47 #include "base/logging.h" 48 #include "base/strings/string_util.h" 49 50 namespace { 51 52 const char kPathTokenName[] = "path"; 53 const char kDomainTokenName[] = "domain"; 54 const char kExpiresTokenName[] = "expires"; 55 const char kMaxAgeTokenName[] = "max-age"; 56 const char kSecureTokenName[] = "secure"; 57 const char kHttpOnlyTokenName[] = "httponly"; 58 const char kPriorityTokenName[] = "priority"; 59 60 const char kTerminator[] = "\n\r\0"; 61 const int kTerminatorLen = sizeof(kTerminator) - 1; 62 const char kWhitespace[] = " \t"; 63 const char kValueSeparator[] = ";"; 64 const char kTokenSeparator[] = ";="; 65 66 // Returns true if |c| occurs in |chars| 67 // TODO(erikwright): maybe make this take an iterator, could check for end also? 68 inline bool CharIsA(const char c, const char* chars) { 69 return strchr(chars, c) != NULL; 70 } 71 // Seek the iterator to the first occurrence of a character in |chars|. 72 // Returns true if it hit the end, false otherwise. 73 inline bool SeekTo(std::string::const_iterator* it, 74 const std::string::const_iterator& end, 75 const char* chars) { 76 for (; *it != end && !CharIsA(**it, chars); ++(*it)) {} 77 return *it == end; 78 } 79 // Seek the iterator to the first occurrence of a character not in |chars|. 80 // Returns true if it hit the end, false otherwise. 81 inline bool SeekPast(std::string::const_iterator* it, 82 const std::string::const_iterator& end, 83 const char* chars) { 84 for (; *it != end && CharIsA(**it, chars); ++(*it)) {} 85 return *it == end; 86 } 87 inline bool SeekBackPast(std::string::const_iterator* it, 88 const std::string::const_iterator& end, 89 const char* chars) { 90 for (; *it != end && CharIsA(**it, chars); --(*it)) {} 91 return *it == end; 92 } 93 94 // Validate whether |value| is a valid token according to [RFC2616], 95 // Section 2.2. 96 bool IsValidToken(const std::string& value) { 97 if (value.empty()) 98 return false; 99 100 // Check that |value| has no separators. 101 std::string separators = "()<>@,;:\\\"/[]?={} \t"; 102 if (value.find_first_of(separators) != std::string::npos) 103 return false; 104 105 // Check that |value| has no CTLs. 106 for (std::string::const_iterator i = value.begin(); i != value.end(); ++i) { 107 if ((*i >= 0 && *i <= 31) || *i >= 127) 108 return false; 109 } 110 111 return true; 112 } 113 114 // Validate value, which may be according to RFC 6265 115 // cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) 116 // cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E 117 // ; US-ASCII characters excluding CTLs, 118 // ; whitespace DQUOTE, comma, semicolon, 119 // ; and backslash 120 bool IsValidCookieValue(const std::string& value) { 121 // Number of characters to skip in validation at beginning and end of string. 122 size_t skip = 0; 123 if (value.size() >= 2 && *value.begin() == '"' && *(value.end()-1) == '"') 124 skip = 1; 125 for (std::string::const_iterator i = value.begin() + skip; 126 i != value.end() - skip; ++i) { 127 bool valid_octet = 128 (*i == 0x21 || 129 (*i >= 0x23 && *i <= 0x2B) || 130 (*i >= 0x2D && *i <= 0x3A) || 131 (*i >= 0x3C && *i <= 0x5B) || 132 (*i >= 0x5D && *i <= 0x7E)); 133 if (!valid_octet) 134 return false; 135 } 136 return true; 137 } 138 139 bool IsControlCharacter(unsigned char c) { 140 return (c >= 0) && (c <= 31); 141 } 142 143 bool IsValidCookieAttributeValue(const std::string& value) { 144 // The greatest common denominator of cookie attribute values is 145 // <any CHAR except CTLs or ";"> according to RFC 6265. 146 for (std::string::const_iterator i = value.begin(); i != value.end(); ++i) { 147 if (IsControlCharacter(*i) || *i == ';') 148 return false; 149 } 150 return true; 151 } 152 153 } // namespace 154 155 namespace net { 156 157 ParsedCookie::ParsedCookie(const std::string& cookie_line) 158 : path_index_(0), 159 domain_index_(0), 160 expires_index_(0), 161 maxage_index_(0), 162 secure_index_(0), 163 httponly_index_(0), 164 priority_index_(0) { 165 166 if (cookie_line.size() > kMaxCookieSize) { 167 VLOG(1) << "Not parsing cookie, too large: " << cookie_line.size(); 168 return; 169 } 170 171 ParseTokenValuePairs(cookie_line); 172 if (!pairs_.empty()) 173 SetupAttributes(); 174 } 175 176 ParsedCookie::~ParsedCookie() { 177 } 178 179 bool ParsedCookie::IsValid() const { 180 return !pairs_.empty(); 181 } 182 183 CookiePriority ParsedCookie::Priority() const { 184 return (priority_index_ == 0) ? COOKIE_PRIORITY_DEFAULT : 185 StringToCookiePriority(pairs_[priority_index_].second); 186 } 187 188 bool ParsedCookie::SetName(const std::string& name) { 189 if (!IsValidToken(name)) 190 return false; 191 if (pairs_.empty()) 192 pairs_.push_back(std::make_pair("", "")); 193 pairs_[0].first = name; 194 return true; 195 } 196 197 bool ParsedCookie::SetValue(const std::string& value) { 198 if (!IsValidCookieValue(value)) 199 return false; 200 if (pairs_.empty()) 201 pairs_.push_back(std::make_pair("", "")); 202 pairs_[0].second = value; 203 return true; 204 } 205 206 bool ParsedCookie::SetPath(const std::string& path) { 207 return SetString(&path_index_, kPathTokenName, path); 208 } 209 210 bool ParsedCookie::SetDomain(const std::string& domain) { 211 return SetString(&domain_index_, kDomainTokenName, domain); 212 } 213 214 bool ParsedCookie::SetExpires(const std::string& expires) { 215 return SetString(&expires_index_, kExpiresTokenName, expires); 216 } 217 218 bool ParsedCookie::SetMaxAge(const std::string& maxage) { 219 return SetString(&maxage_index_, kMaxAgeTokenName, maxage); 220 } 221 222 bool ParsedCookie::SetIsSecure(bool is_secure) { 223 return SetBool(&secure_index_, kSecureTokenName, is_secure); 224 } 225 226 bool ParsedCookie::SetIsHttpOnly(bool is_http_only) { 227 return SetBool(&httponly_index_, kHttpOnlyTokenName, is_http_only); 228 } 229 230 bool ParsedCookie::SetPriority(const std::string& priority) { 231 return SetString(&priority_index_, kPriorityTokenName, priority); 232 } 233 234 std::string ParsedCookie::ToCookieLine() const { 235 std::string out; 236 for (PairList::const_iterator it = pairs_.begin(); 237 it != pairs_.end(); ++it) { 238 if (!out.empty()) 239 out.append("; "); 240 out.append(it->first); 241 if (it->first != kSecureTokenName && it->first != kHttpOnlyTokenName) { 242 out.append("="); 243 out.append(it->second); 244 } 245 } 246 return out; 247 } 248 249 std::string::const_iterator ParsedCookie::FindFirstTerminator( 250 const std::string& s) { 251 std::string::const_iterator end = s.end(); 252 size_t term_pos = 253 s.find_first_of(std::string(kTerminator, kTerminatorLen)); 254 if (term_pos != std::string::npos) { 255 // We found a character we should treat as an end of string. 256 end = s.begin() + term_pos; 257 } 258 return end; 259 } 260 261 bool ParsedCookie::ParseToken(std::string::const_iterator* it, 262 const std::string::const_iterator& end, 263 std::string::const_iterator* token_start, 264 std::string::const_iterator* token_end) { 265 DCHECK(it && token_start && token_end); 266 std::string::const_iterator token_real_end; 267 268 // Seek past any whitespace before the "token" (the name). 269 // token_start should point at the first character in the token 270 if (SeekPast(it, end, kWhitespace)) 271 return false; // No token, whitespace or empty. 272 *token_start = *it; 273 274 // Seek over the token, to the token separator. 275 // token_real_end should point at the token separator, i.e. '='. 276 // If it == end after the seek, we probably have a token-value. 277 SeekTo(it, end, kTokenSeparator); 278 token_real_end = *it; 279 280 // Ignore any whitespace between the token and the token separator. 281 // token_end should point after the last interesting token character, 282 // pointing at either whitespace, or at '=' (and equal to token_real_end). 283 if (*it != *token_start) { // We could have an empty token name. 284 --(*it); // Go back before the token separator. 285 // Skip over any whitespace to the first non-whitespace character. 286 SeekBackPast(it, *token_start, kWhitespace); 287 // Point after it. 288 ++(*it); 289 } 290 *token_end = *it; 291 292 // Seek us back to the end of the token. 293 *it = token_real_end; 294 return true; 295 } 296 297 void ParsedCookie::ParseValue(std::string::const_iterator* it, 298 const std::string::const_iterator& end, 299 std::string::const_iterator* value_start, 300 std::string::const_iterator* value_end) { 301 DCHECK(it && value_start && value_end); 302 303 // Seek past any whitespace that might in-between the token and value. 304 SeekPast(it, end, kWhitespace); 305 // value_start should point at the first character of the value. 306 *value_start = *it; 307 308 // Just look for ';' to terminate ('=' allowed). 309 // We can hit the end, maybe they didn't terminate. 310 SeekTo(it, end, kValueSeparator); 311 312 // Will be pointed at the ; seperator or the end. 313 *value_end = *it; 314 315 // Ignore any unwanted whitespace after the value. 316 if (*value_end != *value_start) { // Could have an empty value 317 --(*value_end); 318 SeekBackPast(value_end, *value_start, kWhitespace); 319 ++(*value_end); 320 } 321 } 322 323 std::string ParsedCookie::ParseTokenString(const std::string& token) { 324 std::string::const_iterator it = token.begin(); 325 std::string::const_iterator end = FindFirstTerminator(token); 326 327 std::string::const_iterator token_start, token_end; 328 if (ParseToken(&it, end, &token_start, &token_end)) 329 return std::string(token_start, token_end); 330 return std::string(); 331 } 332 333 std::string ParsedCookie::ParseValueString(const std::string& value) { 334 std::string::const_iterator it = value.begin(); 335 std::string::const_iterator end = FindFirstTerminator(value); 336 337 std::string::const_iterator value_start, value_end; 338 ParseValue(&it, end, &value_start, &value_end); 339 return std::string(value_start, value_end); 340 } 341 342 // Parse all token/value pairs and populate pairs_. 343 void ParsedCookie::ParseTokenValuePairs(const std::string& cookie_line) { 344 pairs_.clear(); 345 346 // Ok, here we go. We should be expecting to be starting somewhere 347 // before the cookie line, not including any header name... 348 std::string::const_iterator start = cookie_line.begin(); 349 std::string::const_iterator it = start; 350 351 // TODO(erikwright): Make sure we're stripping \r\n in the network code. 352 // Then we can log any unexpected terminators. 353 std::string::const_iterator end = FindFirstTerminator(cookie_line); 354 355 for (int pair_num = 0; pair_num < kMaxPairs && it != end; ++pair_num) { 356 TokenValuePair pair; 357 358 std::string::const_iterator token_start, token_end; 359 if (!ParseToken(&it, end, &token_start, &token_end)) 360 break; 361 362 if (it == end || *it != '=') { 363 // We have a token-value, we didn't have any token name. 364 if (pair_num == 0) { 365 // For the first time around, we want to treat single values 366 // as a value with an empty name. (Mozilla bug 169091). 367 // IE seems to also have this behavior, ex "AAA", and "AAA=10" will 368 // set 2 different cookies, and setting "BBB" will then replace "AAA". 369 pair.first = ""; 370 // Rewind to the beginning of what we thought was the token name, 371 // and let it get parsed as a value. 372 it = token_start; 373 } else { 374 // Any not-first attribute we want to treat a value as a 375 // name with an empty value... This is so something like 376 // "secure;" will get parsed as a Token name, and not a value. 377 pair.first = std::string(token_start, token_end); 378 } 379 } else { 380 // We have a TOKEN=VALUE. 381 pair.first = std::string(token_start, token_end); 382 ++it; // Skip past the '='. 383 } 384 385 // OK, now try to parse a value. 386 std::string::const_iterator value_start, value_end; 387 ParseValue(&it, end, &value_start, &value_end); 388 389 // OK, we're finished with a Token/Value. 390 pair.second = std::string(value_start, value_end); 391 392 // From RFC2109: "Attributes (names) (attr) are case-insensitive." 393 if (pair_num != 0) 394 base::StringToLowerASCII(&pair.first); 395 // Ignore Set-Cookie directives contaning control characters. See 396 // http://crbug.com/238041. 397 if (!IsValidCookieAttributeValue(pair.first) || 398 !IsValidCookieAttributeValue(pair.second)) { 399 pairs_.clear(); 400 break; 401 } 402 403 pairs_.push_back(pair); 404 405 // We've processed a token/value pair, we're either at the end of 406 // the string or a ValueSeparator like ';', which we want to skip. 407 if (it != end) 408 ++it; 409 } 410 } 411 412 void ParsedCookie::SetupAttributes() { 413 // Ignore Set-Cookie directive where name and value are both empty. 414 if (pairs_[0].first.empty() && pairs_[0].second.empty()) { 415 pairs_.clear(); 416 return; 417 } 418 419 // We skip over the first token/value, the user supplied one. 420 for (size_t i = 1; i < pairs_.size(); ++i) { 421 if (pairs_[i].first == kPathTokenName) { 422 path_index_ = i; 423 } else if (pairs_[i].first == kDomainTokenName) { 424 domain_index_ = i; 425 } else if (pairs_[i].first == kExpiresTokenName) { 426 expires_index_ = i; 427 } else if (pairs_[i].first == kMaxAgeTokenName) { 428 maxage_index_ = i; 429 } else if (pairs_[i].first == kSecureTokenName) { 430 secure_index_ = i; 431 } else if (pairs_[i].first == kHttpOnlyTokenName) { 432 httponly_index_ = i; 433 } else if (pairs_[i].first == kPriorityTokenName) { 434 priority_index_ = i; 435 } else { 436 /* some attribute we don't know or don't care about. */ 437 } 438 } 439 } 440 441 bool ParsedCookie::SetString(size_t* index, 442 const std::string& key, 443 const std::string& value) { 444 if (value.empty()) { 445 ClearAttributePair(*index); 446 return true; 447 } else { 448 return SetAttributePair(index, key, value); 449 } 450 } 451 452 bool ParsedCookie::SetBool(size_t* index, 453 const std::string& key, 454 bool value) { 455 if (!value) { 456 ClearAttributePair(*index); 457 return true; 458 } else { 459 return SetAttributePair(index, key, std::string()); 460 } 461 } 462 463 bool ParsedCookie::SetAttributePair(size_t* index, 464 const std::string& key, 465 const std::string& value) { 466 if (!(IsValidToken(key) && IsValidCookieAttributeValue(value))) 467 return false; 468 if (!IsValid()) 469 return false; 470 if (*index) { 471 pairs_[*index].second = value; 472 } else { 473 pairs_.push_back(std::make_pair(key, value)); 474 *index = pairs_.size() - 1; 475 } 476 return true; 477 } 478 479 void ParsedCookie::ClearAttributePair(size_t index) { 480 // The first pair (name/value of cookie at pairs_[0]) cannot be cleared. 481 // Cookie attributes that don't have a value at the moment, are represented 482 // with an index being equal to 0. 483 if (index == 0) 484 return; 485 486 size_t* indexes[] = { &path_index_, &domain_index_, &expires_index_, 487 &maxage_index_, &secure_index_, &httponly_index_, 488 &priority_index_ }; 489 for (size_t i = 0; i < arraysize(indexes); ++i) { 490 if (*indexes[i] == index) 491 *indexes[i] = 0; 492 else if (*indexes[i] > index) 493 --*indexes[i]; 494 } 495 pairs_.erase(pairs_.begin() + index); 496 } 497 498 } // namespace 499
