|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78162 cURL 7.64.0 does not allow to save cookies from a localserver
Submitted: 2019-06-14 10:58 UTC Modified: 2019-11-22 08:20 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: alexandre at comsoftweb dot pt Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3.6 OS: Windows
Private report: No CVE-ID: None
 [2019-06-14 10:58 UTC] alexandre at comsoftweb dot pt
From manual page:

> curl version is 7.64.0
> ["features"]=> int(2428829)

This "features" value does not have the PSL bit set (1<<20) which means this curl version suffers from a cookie parsing bug present in 7.64.0, fixed in
7.64.1 (commit 299d9660f85), that made curl not accept cookies on domain names without any dots.

Solution: upgrade (or downgrade) curl.

Test script:
//this url is a local server, so bluepc has no dots in this url returns cookies

$url = 'http://bluepc/ERPV18/api/Shell/LoginUser/';
//Initiate cURL.
$ch = curl_init($url);

//thiscookie file will never have any cookies in it because bluepc has no dots
curl_setopt($ch, CURLOPT_COOKIEJAR, "C:/cookies/cookieFile.txt");


Expected result:
cookiefile should have cookies inside like this

# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.


Actual result:
but it only has the header and its empty 

# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-14 17:30 UTC]
-Status: Open +Status: Verified -Package: Unknown/Other Function +Package: cURL related -Assigned To: +Assigned To: cmb
 [2019-06-14 17:30 UTC]
Thanks for reporting!  I can confirm this issue.

However, upgrading to cURL 7.64.1 is blocked by bug #78007,
upgrading to cURL 7.65.0/1 by bug #78100.  Downgrading is also no
option due to CVE fixes, which have been applied to the
libcurl-7.64.0-3 packages.

We certainly have to keep an eye on this.
 [2019-09-16 14:59 UTC]
-Status: Verified +Status: Closed
 [2019-09-16 14:59 UTC]
Since there is good progress on bug #78100, I'm closing this ticket.
 [2019-09-17 10:29 UTC] alexandre at comsoftweb dot pt
By closing this ticket I don't know when this is fixed/don't get notified. 

I am waiting for this to install the latest PHP release on a project.

I really need this patched
 [2019-09-18 09:18 UTC]
The plan is to upgrade to curl 7.66.1 as soon as it'll be
available.  I'll drop a note here when that happened.
 [2019-11-22 08:20 UTC]
The 7.2 and 7.3 branches have just been upgraded to curl 7.67.0,
so PHP for Windows 7.2.26, 7.3.13 and 7.4.0 will be build against
that version (or possibly later).
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Jun 20 20:01:24 2021 UTC