From 481cbc5ad578bbde804464487add074e8c7d1e76 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 17 Aug 2014 14:09:45 +0200 Subject: [PATCH 1/2] lavf/http: fix cookie parsing. The current code would use any unknown attribute-value pair as the cookie value. RFC 6265 states that the first key-value pair is the actual cookie, and the attribute-value pairs only start after. With the current code: Set-Cookie: test=good_value; path=/; dummy=42 gives this: Cookie: dummy=42 instead of this with the new code: Cookie: test=good_value --- libavformat/http.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index 7480834ec3..bd67645e46 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -565,8 +565,11 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path, set_cookies = NULL; while ((param = av_strtok(cookie, "; ", &next_param))) { - cookie = NULL; - if (!av_strncasecmp("path=", param, 5)) { + if (cookie) { + // first key-value pair is the actual cookie value + cvalue = av_strdup(param); + cookie = NULL; + } else if (!av_strncasecmp("path=", param, 5)) { av_free(cpath); cpath = av_strdup(¶m[5]); } else if (!av_strncasecmp("domain=", param, 7)) { @@ -581,8 +584,7 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path, !av_strncasecmp("version", param, 7)) { // ignore Comment, Max-Age, Secure and Version } else { - av_free(cvalue); - cvalue = av_strdup(param); + // ignore unknown attributes } } if (!cdomain) From 4bebce06175a6a15253c341c180d95cd97c9494b Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 17 Aug 2014 14:24:20 +0200 Subject: [PATCH 2/2] lavf/http: remove special case for cookies attributes. With the previous change, unknown attributes are all ignored, as specified by the RFC. --- libavformat/http.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index bd67645e46..018d25c9d7 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -578,11 +578,6 @@ static int get_cookies(HTTPContext *s, char **cookies, const char *path, int leading_dot = (param[7] == '.'); av_free(cdomain); cdomain = av_strdup(¶m[7+leading_dot]); - } else if (!av_strncasecmp("secure", param, 6) || - !av_strncasecmp("comment", param, 7) || - !av_strncasecmp("max-age", param, 7) || - !av_strncasecmp("version", param, 7)) { - // ignore Comment, Max-Age, Secure and Version } else { // ignore unknown attributes }