Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / cookies / parsed_cookie.cc
blobbd8b0dc22706fc22743c206df376c219916a0773
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Portions of this code based on Mozilla:
6 // (netwerk/cookie/src/nsCookieService.cpp)
7 /* ***** BEGIN LICENSE BLOCK *****
8 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
10 * The contents of this file are subject to the Mozilla Public License Version
11 * 1.1 (the "License"); you may not use this file except in compliance with
12 * the License. You may obtain a copy of the License at
13 * http://www.mozilla.org/MPL/
15 * Software distributed under the License is distributed on an "AS IS" basis,
16 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
17 * for the specific language governing rights and limitations under the
18 * License.
20 * The Original Code is mozilla.org code.
22 * The Initial Developer of the Original Code is
23 * Netscape Communications Corporation.
24 * Portions created by the Initial Developer are Copyright (C) 2003
25 * the Initial Developer. All Rights Reserved.
27 * Contributor(s):
28 * Daniel Witte (dwitte@stanford.edu)
29 * Michiel van Leeuwen (mvl@exedo.nl)
31 * Alternatively, the contents of this file may be used under the terms of
32 * either the GNU General Public License Version 2 or later (the "GPL"), or
33 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
34 * in which case the provisions of the GPL or the LGPL are applicable instead
35 * of those above. If you wish to allow use of your version of this file only
36 * under the terms of either the GPL or the LGPL, and not to allow others to
37 * use your version of this file under the terms of the MPL, indicate your
38 * decision by deleting the provisions above and replace them with the notice
39 * and other provisions required by the GPL or the LGPL. If you do not delete
40 * the provisions above, a recipient may use your version of this file under
41 * the terms of any one of the MPL, the GPL or the LGPL.
43 * ***** END LICENSE BLOCK ***** */
45 #include "net/cookies/parsed_cookie.h"
47 #include "base/logging.h"
48 #include "base/strings/string_util.h"
50 namespace {
52 const char kPathTokenName[] = "path";
53 const char kDomainTokenName[] = "domain";
54 const char kExpiresTokenName[] = "expires";
55 const char kMaxAgeTokenName[] = "max-age";
56 const char kSecureTokenName[] = "secure";
57 const char kHttpOnlyTokenName[] = "httponly";
58 const char kFirstPartyOnlyTokenName[] = "first-party-only";
59 const char kPriorityTokenName[] = "priority";
61 const char kTerminator[] = "\n\r\0";
62 const int kTerminatorLen = sizeof(kTerminator) - 1;
63 const char kWhitespace[] = " \t";
64 const char kValueSeparator[] = ";";
65 const char kTokenSeparator[] = ";=";
67 // Returns true if |c| occurs in |chars|
68 // TODO(erikwright): maybe make this take an iterator, could check for end also?
69 inline bool CharIsA(const char c, const char* chars) {
70 return strchr(chars, c) != NULL;
72 // Seek the iterator to the first occurrence of a character in |chars|.
73 // Returns true if it hit the end, false otherwise.
74 inline bool SeekTo(std::string::const_iterator* it,
75 const std::string::const_iterator& end,
76 const char* chars) {
77 for (; *it != end && !CharIsA(**it, chars); ++(*it)) {
79 return *it == end;
81 // Seek the iterator to the first occurrence of a character not in |chars|.
82 // Returns true if it hit the end, false otherwise.
83 inline bool SeekPast(std::string::const_iterator* it,
84 const std::string::const_iterator& end,
85 const char* chars) {
86 for (; *it != end && CharIsA(**it, chars); ++(*it)) {
88 return *it == end;
90 inline bool SeekBackPast(std::string::const_iterator* it,
91 const std::string::const_iterator& end,
92 const char* chars) {
93 for (; *it != end && CharIsA(**it, chars); --(*it)) {
95 return *it == end;
98 // Validate whether |value| is a valid token according to [RFC7230],
99 // Section 3.2.6.
100 bool IsValidToken(const std::string& value) {
101 if (value.empty())
102 return false;
104 // Check that |value| has no separators.
105 std::string separators = "()<>@,;:\\\"/[]?={} \t";
106 if (value.find_first_of(separators) != std::string::npos)
107 return false;
109 // Check that |value| has no CTLs.
110 for (std::string::const_iterator i = value.begin(); i != value.end(); ++i) {
111 if ((*i >= 0 && *i <= 31) || *i >= 127)
112 return false;
115 return true;
118 // Validate value, which may be according to RFC 6265
119 // cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
120 // cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
121 // ; US-ASCII characters excluding CTLs,
122 // ; whitespace DQUOTE, comma, semicolon,
123 // ; and backslash
124 bool IsValidCookieValue(const std::string& value) {
125 // Number of characters to skip in validation at beginning and end of string.
126 size_t skip = 0;
127 if (value.size() >= 2 && *value.begin() == '"' && *(value.end() - 1) == '"')
128 skip = 1;
129 for (std::string::const_iterator i = value.begin() + skip;
130 i != value.end() - skip; ++i) {
131 bool valid_octet =
132 (*i == 0x21 || (*i >= 0x23 && *i <= 0x2B) ||
133 (*i >= 0x2D && *i <= 0x3A) || (*i >= 0x3C && *i <= 0x5B) ||
134 (*i >= 0x5D && *i <= 0x7E));
135 if (!valid_octet)
136 return false;
138 return true;
141 bool IsControlCharacter(unsigned char c) {
142 return c <= 31;
145 bool IsValidCookieAttributeValue(const std::string& value) {
146 // The greatest common denominator of cookie attribute values is
147 // <any CHAR except CTLs or ";"> according to RFC 6265.
148 for (std::string::const_iterator i = value.begin(); i != value.end(); ++i) {
149 if (IsControlCharacter(*i) || *i == ';')
150 return false;
152 return true;
155 } // namespace
157 namespace net {
159 ParsedCookie::ParsedCookie(const std::string& cookie_line)
160 : path_index_(0),
161 domain_index_(0),
162 expires_index_(0),
163 maxage_index_(0),
164 secure_index_(0),
165 httponly_index_(0),
166 firstpartyonly_index_(0),
167 priority_index_(0) {
168 if (cookie_line.size() > kMaxCookieSize) {
169 VLOG(1) << "Not parsing cookie, too large: " << cookie_line.size();
170 return;
173 ParseTokenValuePairs(cookie_line);
174 if (!pairs_.empty())
175 SetupAttributes();
178 ParsedCookie::~ParsedCookie() {
181 bool ParsedCookie::IsValid() const {
182 return !pairs_.empty();
185 CookiePriority ParsedCookie::Priority() const {
186 return (priority_index_ == 0)
187 ? COOKIE_PRIORITY_DEFAULT
188 : StringToCookiePriority(pairs_[priority_index_].second);
191 bool ParsedCookie::SetName(const std::string& name) {
192 if (!IsValidToken(name))
193 return false;
194 if (pairs_.empty())
195 pairs_.push_back(std::make_pair("", ""));
196 pairs_[0].first = name;
197 return true;
200 bool ParsedCookie::SetValue(const std::string& value) {
201 if (!IsValidCookieValue(value))
202 return false;
203 if (pairs_.empty())
204 pairs_.push_back(std::make_pair("", ""));
205 pairs_[0].second = value;
206 return true;
209 bool ParsedCookie::SetPath(const std::string& path) {
210 return SetString(&path_index_, kPathTokenName, path);
213 bool ParsedCookie::SetDomain(const std::string& domain) {
214 return SetString(&domain_index_, kDomainTokenName, domain);
217 bool ParsedCookie::SetExpires(const std::string& expires) {
218 return SetString(&expires_index_, kExpiresTokenName, expires);
221 bool ParsedCookie::SetMaxAge(const std::string& maxage) {
222 return SetString(&maxage_index_, kMaxAgeTokenName, maxage);
225 bool ParsedCookie::SetIsSecure(bool is_secure) {
226 return SetBool(&secure_index_, kSecureTokenName, is_secure);
229 bool ParsedCookie::SetIsHttpOnly(bool is_http_only) {
230 return SetBool(&httponly_index_, kHttpOnlyTokenName, is_http_only);
233 bool ParsedCookie::SetIsFirstPartyOnly(bool is_first_party_only) {
234 return SetBool(&firstpartyonly_index_, kFirstPartyOnlyTokenName,
235 is_first_party_only);
238 bool ParsedCookie::SetPriority(const std::string& priority) {
239 return SetString(&priority_index_, kPriorityTokenName, priority);
242 std::string ParsedCookie::ToCookieLine() const {
243 std::string out;
244 for (PairList::const_iterator it = pairs_.begin(); it != pairs_.end(); ++it) {
245 if (!out.empty())
246 out.append("; ");
247 out.append(it->first);
248 if (it->first != kSecureTokenName && it->first != kHttpOnlyTokenName &&
249 it->first != kFirstPartyOnlyTokenName) {
250 out.append("=");
251 out.append(it->second);
254 return out;
257 std::string::const_iterator ParsedCookie::FindFirstTerminator(
258 const std::string& s) {
259 std::string::const_iterator end = s.end();
260 size_t term_pos = s.find_first_of(std::string(kTerminator, kTerminatorLen));
261 if (term_pos != std::string::npos) {
262 // We found a character we should treat as an end of string.
263 end = s.begin() + term_pos;
265 return end;
268 bool ParsedCookie::ParseToken(std::string::const_iterator* it,
269 const std::string::const_iterator& end,
270 std::string::const_iterator* token_start,
271 std::string::const_iterator* token_end) {
272 DCHECK(it && token_start && token_end);
273 std::string::const_iterator token_real_end;
275 // Seek past any whitespace before the "token" (the name).
276 // token_start should point at the first character in the token
277 if (SeekPast(it, end, kWhitespace))
278 return false; // No token, whitespace or empty.
279 *token_start = *it;
281 // Seek over the token, to the token separator.
282 // token_real_end should point at the token separator, i.e. '='.
283 // If it == end after the seek, we probably have a token-value.
284 SeekTo(it, end, kTokenSeparator);
285 token_real_end = *it;
287 // Ignore any whitespace between the token and the token separator.
288 // token_end should point after the last interesting token character,
289 // pointing at either whitespace, or at '=' (and equal to token_real_end).
290 if (*it != *token_start) { // We could have an empty token name.
291 --(*it); // Go back before the token separator.
292 // Skip over any whitespace to the first non-whitespace character.
293 SeekBackPast(it, *token_start, kWhitespace);
294 // Point after it.
295 ++(*it);
297 *token_end = *it;
299 // Seek us back to the end of the token.
300 *it = token_real_end;
301 return true;
304 void ParsedCookie::ParseValue(std::string::const_iterator* it,
305 const std::string::const_iterator& end,
306 std::string::const_iterator* value_start,
307 std::string::const_iterator* value_end) {
308 DCHECK(it && value_start && value_end);
310 // Seek past any whitespace that might in-between the token and value.
311 SeekPast(it, end, kWhitespace);
312 // value_start should point at the first character of the value.
313 *value_start = *it;
315 // Just look for ';' to terminate ('=' allowed).
316 // We can hit the end, maybe they didn't terminate.
317 SeekTo(it, end, kValueSeparator);
319 // Will be pointed at the ; seperator or the end.
320 *value_end = *it;
322 // Ignore any unwanted whitespace after the value.
323 if (*value_end != *value_start) { // Could have an empty value
324 --(*value_end);
325 SeekBackPast(value_end, *value_start, kWhitespace);
326 ++(*value_end);
330 std::string ParsedCookie::ParseTokenString(const std::string& token) {
331 std::string::const_iterator it = token.begin();
332 std::string::const_iterator end = FindFirstTerminator(token);
334 std::string::const_iterator token_start, token_end;
335 if (ParseToken(&it, end, &token_start, &token_end))
336 return std::string(token_start, token_end);
337 return std::string();
340 std::string ParsedCookie::ParseValueString(const std::string& value) {
341 std::string::const_iterator it = value.begin();
342 std::string::const_iterator end = FindFirstTerminator(value);
344 std::string::const_iterator value_start, value_end;
345 ParseValue(&it, end, &value_start, &value_end);
346 return std::string(value_start, value_end);
349 // Parse all token/value pairs and populate pairs_.
350 void ParsedCookie::ParseTokenValuePairs(const std::string& cookie_line) {
351 pairs_.clear();
353 // Ok, here we go. We should be expecting to be starting somewhere
354 // before the cookie line, not including any header name...
355 std::string::const_iterator start = cookie_line.begin();
356 std::string::const_iterator it = start;
358 // TODO(erikwright): Make sure we're stripping \r\n in the network code.
359 // Then we can log any unexpected terminators.
360 std::string::const_iterator end = FindFirstTerminator(cookie_line);
362 for (int pair_num = 0; pair_num < kMaxPairs && it != end; ++pair_num) {
363 TokenValuePair pair;
365 std::string::const_iterator token_start, token_end;
366 if (!ParseToken(&it, end, &token_start, &token_end))
367 break;
369 if (it == end || *it != '=') {
370 // We have a token-value, we didn't have any token name.
371 if (pair_num == 0) {
372 // For the first time around, we want to treat single values
373 // as a value with an empty name. (Mozilla bug 169091).
374 // IE seems to also have this behavior, ex "AAA", and "AAA=10" will
375 // set 2 different cookies, and setting "BBB" will then replace "AAA".
376 pair.first = "";
377 // Rewind to the beginning of what we thought was the token name,
378 // and let it get parsed as a value.
379 it = token_start;
380 } else {
381 // Any not-first attribute we want to treat a value as a
382 // name with an empty value... This is so something like
383 // "secure;" will get parsed as a Token name, and not a value.
384 pair.first = std::string(token_start, token_end);
386 } else {
387 // We have a TOKEN=VALUE.
388 pair.first = std::string(token_start, token_end);
389 ++it; // Skip past the '='.
392 // OK, now try to parse a value.
393 std::string::const_iterator value_start, value_end;
394 ParseValue(&it, end, &value_start, &value_end);
396 // OK, we're finished with a Token/Value.
397 pair.second = std::string(value_start, value_end);
399 // From RFC2109: "Attributes (names) (attr) are case-insensitive."
400 if (pair_num != 0)
401 pair.first = base::ToLowerASCII(pair.first);
402 // Ignore Set-Cookie directives contaning control characters. See
403 // http://crbug.com/238041.
404 if (!IsValidCookieAttributeValue(pair.first) ||
405 !IsValidCookieAttributeValue(pair.second)) {
406 pairs_.clear();
407 break;
410 pairs_.push_back(pair);
412 // We've processed a token/value pair, we're either at the end of
413 // the string or a ValueSeparator like ';', which we want to skip.
414 if (it != end)
415 ++it;
419 void ParsedCookie::SetupAttributes() {
420 // Ignore Set-Cookie directive where name and value are both empty.
421 if (pairs_[0].first.empty() && pairs_[0].second.empty()) {
422 pairs_.clear();
423 return;
426 // We skip over the first token/value, the user supplied one.
427 for (size_t i = 1; i < pairs_.size(); ++i) {
428 if (pairs_[i].first == kPathTokenName) {
429 path_index_ = i;
430 } else if (pairs_[i].first == kDomainTokenName) {
431 domain_index_ = i;
432 } else if (pairs_[i].first == kExpiresTokenName) {
433 expires_index_ = i;
434 } else if (pairs_[i].first == kMaxAgeTokenName) {
435 maxage_index_ = i;
436 } else if (pairs_[i].first == kSecureTokenName) {
437 secure_index_ = i;
438 } else if (pairs_[i].first == kHttpOnlyTokenName) {
439 httponly_index_ = i;
440 } else if (pairs_[i].first == kFirstPartyOnlyTokenName) {
441 firstpartyonly_index_ = i;
442 } else if (pairs_[i].first == kPriorityTokenName) {
443 priority_index_ = i;
444 } else {
445 /* some attribute we don't know or don't care about. */
450 bool ParsedCookie::SetString(size_t* index,
451 const std::string& key,
452 const std::string& value) {
453 if (value.empty()) {
454 ClearAttributePair(*index);
455 return true;
456 } else {
457 return SetAttributePair(index, key, value);
461 bool ParsedCookie::SetBool(size_t* index, const std::string& key, bool value) {
462 if (!value) {
463 ClearAttributePair(*index);
464 return true;
465 } else {
466 return SetAttributePair(index, key, std::string());
470 bool ParsedCookie::SetAttributePair(size_t* index,
471 const std::string& key,
472 const std::string& value) {
473 if (!(IsValidToken(key) && IsValidCookieAttributeValue(value)))
474 return false;
475 if (!IsValid())
476 return false;
477 if (*index) {
478 pairs_[*index].second = value;
479 } else {
480 pairs_.push_back(std::make_pair(key, value));
481 *index = pairs_.size() - 1;
483 return true;
486 void ParsedCookie::ClearAttributePair(size_t index) {
487 // The first pair (name/value of cookie at pairs_[0]) cannot be cleared.
488 // Cookie attributes that don't have a value at the moment, are represented
489 // with an index being equal to 0.
490 if (index == 0)
491 return;
493 size_t* indexes[] = {&path_index_,
494 &domain_index_,
495 &expires_index_,
496 &maxage_index_,
497 &secure_index_,
498 &httponly_index_,
499 &firstpartyonly_index_,
500 &priority_index_};
501 for (size_t i = 0; i < arraysize(indexes); ++i) {
502 if (*indexes[i] == index)
503 *indexes[i] = 0;
504 else if (*indexes[i] > index)
505 --*indexes[i];
507 pairs_.erase(pairs_.begin() + index);
510 } // namespace