GitLab

The old-style cookie support stores the cookie domains with a leading full
stop (e.g. .riscosopen.org) but if a cookie was created with HTTP_AddCookie
you could get round this restriction.  A cookie with domain riscosop.org
created that way would have matched the host domain www.riscosopen.org.

This change fixes that. This code will need to be revisited to implement
RFC 6265 because of host-only matching and stripping the leading full stops,
but for the moment this removes a domain-matching bug in the old-style cookie
support.

Version 1.08. Tagged as 'HTTP-1_08'

Domain matching will have to work differently when we move to RFC 6265
because the leading full-stop would be removed. This commit fixes a fault with
the old-style cookie support.

The Version attribute was deprecated in RFC6265 in April 2011 and is no
longer widely supported (if it ever was). Removing support simplifies the
code which will make it easier to maintain and enhance.

As a step towards RFC6265 compliance, removed support for Comment attribute
in order to simplify code. There was never much functional code relating to
comments, which were stored but not made accessible to the client.

In order to work towards RFC 6265 support, it is desirable to simplify the
code by removing features which were made obsolete in RFC 6265, which was
published in April 2011.

The Cookie2 header was being added to every request. Removed. (Note that the
header will be suppressed even if the client manually passes it as an extra
header in the request.)

Support for the Set-Cookie2 response header has been dropped from mainstream
browsers for many years. Removed.

Firstly, despite comments throughout the code about how the cookies were sorted
in reverse order of the path in order to automagically output them in the
correct order, the cookies were not being stored in reverse order!  Corrected.

Corrected stripping the file element from end of request path, which managed to
reduce '/abc/index.html' to '/abc/' but failed to reduce '/index.html' to '/'.

Ensure that matching cookie path as a substring of request path only matches
if the substring reaches the next '/' delimiter.

Match the reversed domain name at the start of the request domain, rather than
anywhere in the string.  (More work needed here for RFC 6265 compliance.)

Added a little extra debugging to make it easier to see what's going on.

The check_domain_valid function failed to match the full target domain if the
domain did not start with a full-stop. The last two characters of the initial
element of the name were not matched. There was also no check that the match
took us up to a full-stop in the request's hostname.

There was a similar bug in domain-matching where the domain DID begin with a
full-stop, as strstr was used for matching without anchoring the match to the
starts of the respective strings.

Note, this code is still largely conforming with the obsolete RFC2109 and will
need to be amended for RFC6265 compliance.

Any path read from the cookie file, and any path parameter to HTTP_AddCookie
was processed as though it was actually a URI path, as is used for the
default value for the path if no Path attribute appears in the Set-Cookie
header. The effect was that each time the cookie file was read, the last
slash of the path and any following material was discarded, meaning the paths
gradually got shorter until they disappeared altogether.

Tallies of the stored and queued cookies are maintained in total_cookies and unread_cookies. Both have errors in their calculation.

The queued cookie count continued going up even when MAX_COOKIES_IN_QUEUE was reached and older cookies were being discarded. Also errors in the counting and the condition meant that two more cookies were queued than defined in MAX_COOKIES_IN_QUEUE.

The total_cookies count was reduced when a cookie was discarded from the queue via HTTP_ConsumeCookie because destroy_cookie is used for freeing a cookie structure in both situations. The count was also reduced in two situations where new cookies were not added to the store because they were invalid. One case was HTTP_AddCookie if an invalid parameter was given, and the other case was in creating a cookie via an HTTP response.

To solve this the total_cookies decrement operation is moved from destroy_cookie to remove_cookie_from_list.

After the for loop last->next will have been NULL and the call
to cookie_unlink_cookie expects the first parameter to be a pointer
to the variable where the head of the queue is stored, not a
pointer to the cookie to be discarded.

Version 1.07. Tagged as 'HTTP-1_07'

Remove test for first character of chunk length being '0' as that means
the fetch fails if the chunk length is non-zero with a leading zero.

Version 1.06. Tagged as 'HTTP-1_06'

Detail:
  Two new SWIs (see Docs/AddMethds) allow a client to register a method which AcornHTTP
  will then handle on its behalf based on some flags. In many cases the method can just
  follow a GET or PUT in operation.

Version 1.05. Tagged as 'HTTP-1_05'

Change to enable fetcher to connect to make secure connections to servers
which require Server Name Identification (SNI). Also ensures that the name
of the server is verified against the certificate for other secure
connections.

Version 1.04. Tagged as 'HTTP-1_04'

Detail:
  There was an assumption that if the recv() in http_read_more_header() returned an error, the subsequent recv() in http_reading_response() would also return the same error. However, if callbacks were allowed to run in between and data arrived from the server, the 2nd recv() can return data.
  In turn, this caused the statemachine to believe it was now reading the body, and forced AcornHTTP to invent a fake header for the client - when neither situation was true.
  Change the logic so that EWOULDBLOCK keeps the state machine in reading mode, other errors (or closed connection) stop as before.

  Unrelated - header.c corrects grammar, start.c uses boolean initialiser.
Admin:
  Submission for TCP/IP bounty.

Version 1.03. Tagged as 'HTTP-1_03'

Detail:
  SWIPREFIX != TARGET for this component, so the exported header was empty.

Version 1.02. Tagged as 'HTTP-1_02'

Detail:
  When AcornHTTP starts it tries to register itself with URL, which triggers a service call (for HTTP arriving) which in turn triggers AcornSSL to (re)report it is loaded. However, if AcornSSL is loaded *before* HTTP then the service call is missed because HTTP's service call handler isn't yet linked into the service call chain.
  Fix this by looking for a telltale SWI in security_init().
Admin:
  Reported by Matthew Phillips when trying to load URL/HTTP on a system on which AcornSSL had been loaded beforehand.
  Also clip the text shown by *URLProtoShow to end at the closing bracket of the date (more recent AcornSSL modules add the version of mbedTLS to which they were linked, which spilled over the column end).

Version 1.01. Tagged as 'HTTP-1_01'

decompress.c: remove double assignment to ses->compression, let it fall through
start.c: don't dereference 'ses' until after the check for it being NULL
Found by cppcheck static analysis.

Version 1.00. Tagged as 'HTTP-1_00'

Detail:
  When AcornHTTP is registering on behalf of AcornSSL with the URL module, it makes up an info string using the live version number.
  Use the AcornSSL module date too, rather than that of AcornHTTP.
Admin:
  Submission for TCP/IP bounty.

Version 0.99. Tagged as 'HTTP-0_99'

Detail:
  Per Docs/SWIs the flags in R5 (or R2 b8-15) should allow a client to request only the head/body or both, but the implementation was incomplete in places.
  Where http_write_data_to_client() is called, check what the request was and filter appropriately.
Admin:
  Submission from Chris Mahoney.

Version 0.98. Tagged as 'HTTP-0_98'

Remove hardwired path element, use Module_Title instead.
Delete (already disabled) TinyStubs support.
Delete support for old CMHG.

Version 0.97. Tagged as 'HTTP-0_97'

Detail:
  Account for TARGET != COMPONENT

Detail:
  Use GETDCI4ERRNO macro to safely extract errno from RISC OS error blocks.
  Fix for NULL pointer dereference when adding the first cookie to the cookie queue.
Admin:
  Submission for TCP/IP bounty.

Version 0.96. Tagged as 'HTTP-0_96'

Detail:
  Use updated AcornSSL.h header location and contents.
Admin:
  Requires Export-0_10.

Version 0.95. Tagged as 'HTTP-0_95'

Detail:
  Now exports its SWIs to Interface/HTTP.h
  Replaced defunct www.acorn.com address in the test program.
Admin:
  Submission for TCP/IP bounty.

Version 0.94. Tagged as 'HTTP-0_94'

No code change, retagged.

Version 0.93. Tagged as 'HTTP-0_93'

Detail:
  Use the XWIPE macro rather than WIPE so that when the component
  is cleaned, we don't get loads of irritating errors from AMU if
  the object to be wiped doesn't exist.
Admin:
  No code change.


Version 0.92. Tagged as 'HTTP-0_92'

Detail:
  Made cvs version of sources match Batch One release.
Admin:
  No code change.

Version 0.91. Tagged as 'HTTP-0_91'

Detail:
  Some changes were required in order for this component to build and install
  correctly. These changes are required for the ROOL 'Browse' build.
Admin:
  Tested in Iyonix 'Browse' build using ROOL 'BuildEnv' build environment

Version 0.90. Tagged as 'HTTP-0_90'

Detail:
  The Status SWI should be returning the server response code in R2,
    but is always returning 0 because it never bothers to parse the
    top header in the response.  This is now done.
Admin:
  Reported by gerph.
  Tested.

Version 0.89. Tagged as 'HTTP-0_89'

Detail:
   The definition of DEBLIBS was causing the build to fail. Commented this
definition out. Also changed the name of the component for the rom_link phase
to AcornHTTP so it links.

Admin:
   Tested in an NC build.

Version 0.88. Tagged as 'HTTP-0_88'

Detail:
  When passing options to this component, you may specify:
    -UCOOKIE               - removes cookie support
    -UCOMPRESSION          - removes on-the-fly decompression support
Admin:
  Options added to reduce module size.

Version 0.87. Tagged as 'HTTP-0_87'

Detail:
  The NT based CTS plugin fails to put Content-Type headers in
    posted form submissions.  The Microsoft server seems happy
    with this illegal form, but AcornHTTP isn't - and it decides
    that the post attempt is bogus and rejects it.  Instead of
    that, it now adds the application/x-www-form-urlencoded
    as the default content type.
Admin:
  Tested by proxying the NT plugin via WebServe and verified that
    the content-type is being added.

Version 0.86. Tagged as 'HTTP-0_86'

Detail:
  Added knowledge of OPTIONS and TRACE to the option decoder.
  Now knows about new SWI names of AcornSSL module.
Admin:
  Tested briefly.
  Requires AcornSSL-0_08 header export to have occurred.

Version 0.85. Tagged as 'HTTP-0_85'

Detail:
  Can't use __ctype with TinyStubs.
Admin:
  Built from clean; verified RAM build works.

Version 0.84. Tagged as 'HTTP-0_84'

  Updated version number control to srccommit.
  AcornSSL version mismatch detection code added for safety.
  No longer enables event generation for HTTP sockets.
Detail:
  * Cookie parser was getting confused by a trailing ; character on
  the end of set-cookie headers being sent to it by the Electronics
  Weekly web server.  This meant that it was rejecting the key
  cookie being used to control access to the site thus preventing
  people from accessing the site.
  * AcornHTTP now checks that the AcornSSL module is implementing a
  known SWI interface (the AcornSSL SWI interface changed in 0.03)
  * No longer uses ioctl(..FIOASYNC..) to enable event generation as
  the events aren't required and it wastes system resource to have
  them going off.
  * Makefile contains rules for generating .i files suitable for
  feeding to the McCabe toolset.
Admin:
  Built from clean; tested on Ursula & 3.70; verified access to
  Electronics Weekly (www.electronicsweekly.co.uk) now works.

Version 0.83. Tagged as 'HTTP-0_83'

* First block of data was being thrown on the floor during
  decompression in some cases.  This is now fixed.

* Debug output now knows about cookie related SWIs and won't claim that
  they are unknown SWIs.

* Transfers which are both Chunked and compressed work correctly now.