php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78162 cURL 7.64.0 does not allow to save cookies from a localserver
Submitted: 2019-06-14 10:58 UTC Modified: 2019-11-22 08:20 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: alexandre at comsoftweb dot pt Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: 7.3.6 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: alexandre at comsoftweb dot pt
New email:
PHP Version: OS:

 

 [2019-06-14 10:58 UTC] alexandre at comsoftweb dot pt
Description:
------------
---
From manual page: https://php.net/book.curl
---

> curl version is 7.64.0
> ["features"]=> int(2428829)

This "features" value does not have the PSL bit set (1<<20) which means this curl version suffers from a cookie parsing bug present in 7.64.0, fixed in
7.64.1 (commit 299d9660f85), that made curl not accept cookies on domain names without any dots.

Solution: upgrade (or downgrade) curl.


Test script:
---------------
//this url is a local server, so bluepc has no dots in this url returns cookies

$url = 'http://bluepc/ERPV18/api/Shell/LoginUser/';
//Initiate cURL.
$ch = curl_init($url);

//thiscookie file will never have any cookies in it because bluepc has no dots
curl_setopt($ch, CURLOPT_COOKIEJAR, "C:/cookies/cookieFile.txt");

curl_exec($ch);
curl_close($ch);

Expected result:
----------------
cookiefile should have cookies inside like this

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

bluepc	FALSE	/	FALSE	0	eti_sessionInfo	YgBsAHUAZQBwAGMAXABzAHEAbAAyADAAMQA3AKcAcwBpAHMAdABlAG0AYQBfAGEAbABhAGMAbwCnAEEATABBAEMATwCnAEUAeAAgADIAMAAxADkApwAxAKcAUABUAC0AUABUAA==




Actual result:
--------------
but it only has the header and its empty 

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-14 17:30 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Unknown/Other Function +Package: cURL related -Assigned To: +Assigned To: cmb
 [2019-06-14 17:30 UTC] cmb@php.net
Thanks for reporting!  I can confirm this issue.

However, upgrading to cURL 7.64.1 is blocked by bug #78007,
upgrading to cURL 7.65.0/1 by bug #78100.  Downgrading is also no
option due to CVE fixes, which have been applied to the
libcurl-7.64.0-3 packages.

We certainly have to keep an eye on this.
 [2019-09-16 14:59 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-09-16 14:59 UTC] cmb@php.net
Since there is good progress on bug #78100, I'm closing this ticket.
 [2019-09-17 10:29 UTC] alexandre at comsoftweb dot pt
By closing this ticket I don't know when this is fixed/don't get notified. 

I am waiting for this to install the latest PHP release on a project.

I really need this patched
 [2019-09-18 09:18 UTC] cmb@php.net
The plan is to upgrade to curl 7.66.1 as soon as it'll be
available.  I'll drop a note here when that happened.
 [2019-11-22 08:20 UTC] cmb@php.net
The 7.2 and 7.3 branches have just been upgraded to curl 7.67.0,
so PHP for Windows 7.2.26, 7.3.13 and 7.4.0 will be build against
that version (or possibly later).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 06 21:01:29 2024 UTC