Netscape: allow HttpOnly cookies to be loaded

chigley · oalders · commit 52b814be84b3 · 2020-11-19T16:51:47.000-05:00
Fixes #63. curl generates cookie jars where HttpOnly cookies have hostnames prepended with #HttpOnly_ (see [0]). Until now, HTTP::Cookies::Netscape was discarding such cookies as comments. This commit strips the magic #HttpOnly_ prefix such that the cookies are loaded. The HttpOnly state isn't kept in memory: the cookies essentially lose the property when loaded. If the cookie jar is written back out to a file, hostnames will not have the #HttpOnly_ prefix, even if they had the prefix originally. See [1] for a PerlMonks thread where someone else hit the same issue as me. [0] https://curl.se/libcurl/c/CURLOPT_COOKIELIST.html [1] https://www.perlmonks.org/?node_id=1187917
diff --git a/Changes b/Changes
@@ -2,6 +2,7 @@ Revision history for HTTP-Cookies.  The HTTP::Cookies module used to be bundled
 with the libwww-perl distribution.
 
 {{$NEXT}}
+    - Allow HttpOnly cookies to be loaded by HTTP::Cookies::Netscape (GH#63) (Charlie Hothersall-Thomas)
 
 6.08      2019-12-02 15:58:32Z
     - allow different "ignore_discard" value at save() time (GH#2) (Alex Peters)
diff --git a/lib/HTTP/Cookies/Netscape.pm b/lib/HTTP/Cookies/Netscape.pm
@@ -24,6 +24,7 @@ sub load
     my $now = time() - $HTTP::Cookies::EPOCH_OFFSET;
     while (my $line = <$fh>) {
         chomp($line);
+        $line =~ s/\s*\#HttpOnly_//;
         next if $line =~ /^\s*\#/;
         next if $line =~ /^\s*$/;
         $line =~ tr/\n\r//d;
diff --git a/t/cookies.t b/t/cookies.t
@@ -1,7 +1,7 @@
 #!perl -w
 
 use Test;
-plan tests => 79;
+plan tests => 80;
 
 use HTTP::Cookies;
 use HTTP::Request;
@@ -417,6 +417,10 @@ ok($c->as_string =~ /foo1=bar/);
 undef($c);
 unlink($file);
 
+# Expect a HttpOnly cookie to be loaded, rather than treated as a comment
+$c = HTTP::Cookies::Netscape->new(file => 't/data/netscape-httponly.txt');
+ok(count_cookies($c), 2);
+undef($c);
 
 #
 # Some additional Netscape cookies test
diff --git a/t/data/netscape-httponly.txt b/t/data/netscape-httponly.txt
@@ -0,0 +1,6 @@
+# Netscape HTTP Cookie File
+# http://www.netscape.com/newsref/std/cookie_spec.html
+# This is a generated file!  Do not edit.
+
+www.acme.com	FALSE	/	FALSE	2147483647	foo1	bar
+#HttpOnly_www.acme.com	FALSE	/	FALSE	2147483647	foo2	bar
