php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78162 cURL 7.64.0 does not allow to save cookies from a localserver
Submitted: 2019-06-14 10:58 UTC Modified: 2019-09-18 09:18 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: alexandre at comsoftweb dot pt Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3.6 OS: Windows
Private report: No CVE-ID: None
 [2019-06-14 10:58 UTC] alexandre at comsoftweb dot pt
Description:
------------
---
From manual page: https://php.net/book.curl
---

> curl version is 7.64.0
> ["features"]=> int(2428829)

This "features" value does not have the PSL bit set (1<<20) which means this curl version suffers from a cookie parsing bug present in 7.64.0, fixed in
7.64.1 (commit 299d9660f85), that made curl not accept cookies on domain names without any dots.

Solution: upgrade (or downgrade) curl.


Test script:
---------------
//this url is a local server, so bluepc has no dots in this url returns cookies

$url = 'http://bluepc/ERPV18/api/Shell/LoginUser/';
//Initiate cURL.
$ch = curl_init($url);

//thiscookie file will never have any cookies in it because bluepc has no dots
curl_setopt($ch, CURLOPT_COOKIEJAR, "C:/cookies/cookieFile.txt");

curl_exec($ch);
curl_close($ch);

Expected result:
----------------
cookiefile should have cookies inside like this

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

bluepc	FALSE	/	FALSE	0	eti_sessionInfo	YgBsAHUAZQBwAGMAXABzAHEAbAAyADAAMQA3AKcAcwBpAHMAdABlAG0AYQBfAGEAbABhAGMAbwCnAEEATABBAEMATwCnAEUAeAAgADIAMAAxADkApwAxAKcAUABUAC0AUABUAA==




Actual result:
--------------
but it only has the header and its empty 

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-14 17:30 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Unknown/Other Function +Package: cURL related -Assigned To: +Assigned To: cmb
 [2019-06-14 17:30 UTC] cmb@php.net
Thanks for reporting!  I can confirm this issue.

However, upgrading to cURL 7.64.1 is blocked by bug #78007,
upgrading to cURL 7.65.0/1 by bug #78100.  Downgrading is also no
option due to CVE fixes, which have been applied to the
libcurl-7.64.0-3 packages.

We certainly have to keep an eye on this.
 [2019-09-16 14:59 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-09-16 14:59 UTC] cmb@php.net
Since there is good progress on bug #78100, I'm closing this ticket.
 [2019-09-17 10:29 UTC] alexandre at comsoftweb dot pt
By closing this ticket I don't know when this is fixed/don't get notified. 

I am waiting for this to install the latest PHP release on a project.

I really need this patched
 [2019-09-18 09:18 UTC] cmb@php.net
The plan is to upgrade to curl 7.66.1 as soon as it'll be
available.  I'll drop a note here when that happened.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 16:01:30 2019 UTC