|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78162 cURL 7.64.0 does not allow to save cookies from a localserver
Submitted: 2019-06-14 10:58 UTC Modified: 2019-09-18 09:18 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: alexandre at comsoftweb dot pt Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3.6 OS: Windows
Private report: No CVE-ID: None
 [2019-06-14 10:58 UTC] alexandre at comsoftweb dot pt
From manual page:

> curl version is 7.64.0
> ["features"]=> int(2428829)

This "features" value does not have the PSL bit set (1<<20) which means this curl version suffers from a cookie parsing bug present in 7.64.0, fixed in
7.64.1 (commit 299d9660f85), that made curl not accept cookies on domain names without any dots.

Solution: upgrade (or downgrade) curl.

Test script:
//this url is a local server, so bluepc has no dots in this url returns cookies

$url = 'http://bluepc/ERPV18/api/Shell/LoginUser/';
//Initiate cURL.
$ch = curl_init($url);

//thiscookie file will never have any cookies in it because bluepc has no dots
curl_setopt($ch, CURLOPT_COOKIEJAR, "C:/cookies/cookieFile.txt");


Expected result:
cookiefile should have cookies inside like this

# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.


Actual result:
but it only has the header and its empty 

# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-14 17:30 UTC]
-Status: Open +Status: Verified -Package: Unknown/Other Function +Package: cURL related -Assigned To: +Assigned To: cmb
 [2019-06-14 17:30 UTC]
Thanks for reporting!  I can confirm this issue.

However, upgrading to cURL 7.64.1 is blocked by bug #78007,
upgrading to cURL 7.65.0/1 by bug #78100.  Downgrading is also no
option due to CVE fixes, which have been applied to the
libcurl-7.64.0-3 packages.

We certainly have to keep an eye on this.
 [2019-09-16 14:59 UTC]
-Status: Verified +Status: Closed
 [2019-09-16 14:59 UTC]
Since there is good progress on bug #78100, I'm closing this ticket.
 [2019-09-17 10:29 UTC] alexandre at comsoftweb dot pt
By closing this ticket I don't know when this is fixed/don't get notified. 

I am waiting for this to install the latest PHP release on a project.

I really need this patched
 [2019-09-18 09:18 UTC]
The plan is to upgrade to curl 7.66.1 as soon as it'll be
available.  I'll drop a note here when that happened.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 16:01:30 2019 UTC