Support multiple Set-Cookie values.

michaelrsweet · michaelrsweet · commit 434b87ec8051 · 2025-05-01T18:42:53.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,6 +6,7 @@ libcups v3.0.0 (YYYY-MM-DD)
 
 - Added `cupsOAuthGetJWKS` API.
 - Added `httpGetCookieValue` and `httpGetSecurity` APIs.
+- Updated `httpSetCookie` API to support multiple "Set-Cookie:" header values.
 - Updated `ippfind` to use `cupsGetClock` API.
 - Fixed return values of `ippDateToTime` when the timezone isn't GMT.
 - Fixed a potential timing issue with `cupsEnumDests`.
diff --git a/cups/http.c b/cups/http.c
@@ -840,11 +840,11 @@ httpGetContentEncoding(http_t *http)	// I - HTTP connection
 
 
 //
-// 'httpGetCookie()' - Get "Cookie:" data from the HTTP connection.
+// 'httpGetCookie()' - Get cookie data from the HTTP connection.
 //
-// This function returns any HTTP "Cookie:" header data for the given HTTP
-// connection as described in RFC 6265.  Use the @link httpGetCookieValue@ to
-// get the value of a named cookie.
+// This function returns any HTTP "Set-Cookie:" or "Cookie:" header data for the
+// given HTTP connection as described in RFC 6265.  Use the
+// @link httpGetCookieValue@ to get the value of a named "Cookie:" value.
 //
 
 const char *				// O - Cookie data or `NULL`
@@ -2205,22 +2205,46 @@ httpSetBlocking(http_t *http,		// I - HTTP connection
 
 
 //
-// 'httpSetCookie()' - Set the cookie value(s).
+// 'httpSetCookie()' - Add Set-Cookie value(s).
+//
+// This function adds one or more Set-Cookie header values that will be sent to
+// the client with the @link httpWriteResponse@ function.  Each value conforms
+// to the format defined in RFC 6265.  Multiple values can be passed in the
+// "cookie" string separated by a newline character.
+//
+// Call the @link httpClearCookies@ function to clear all Set-Cookie values.
 //
 
 void
 httpSetCookie(http_t     *http,		// I - Connection
               const char *cookie)	// I - Cookie string
 {
-  if (!http)
+  // Range check input...
+  if (!http || !cookie)
     return;
 
-  free(http->cookie);
+  // Set or append the Set-Cookie value....
+  if (http->cookie)
+  {
+    // Append with a newline between values...
+    size_t	clen,			// Length of cookie string
+		ctotal;			// Total length of cookies
+    char	*temp;			// Temporary value
 
-  if (cookie)
-    http->cookie = strdup(cookie);
+    clen   = strlen(http->cookie);
+    ctotal = clen + strlen(cookie) + 2;
+
+    if ((temp = realloc(http->cookie, ctotal)) == NULL)
+      return;
+
+    temp[clen] = '\n';
+    cupsCopyString(temp + clen + 1, cookie, ctotal - clen - 1);
+  }
   else
-    http->cookie = NULL;
+  {
+    // Just copy/set this cookie...
+    http->cookie = strdup(cookie);
+  }
 }
 
 
@@ -3050,26 +3074,35 @@ httpWriteResponse(http_t        *http,	// I - HTTP connection
 
     if (http->cookie)
     {
-      if (strchr(http->cookie, ';'))
+      char	*start,			// Start of cookie
+		*ptr;			// Pointer into cookie
+
+      for (start = http->cookie; start; start = ptr)
       {
-        if (httpPrintf(http, "Set-Cookie: %s\r\n", http->cookie) < 1)
+        if ((ptr = strchr(start, '\n')) != NULL)
+          *ptr = '\0';
+
+	if (strchr(start, ';'))
+	{
+	  if (httpPrintf(http, "Set-Cookie: %s\r\n", start) < 1)
+	  {
+	    http->status = HTTP_STATUS_ERROR;
+	    if (ptr)
+	      *ptr = '\n';
+	    return (false);
+	  }
+	}
+	else if (httpPrintf(http, "Set-Cookie: %s; path=/; httponly;%s\r\n", http->cookie, http->tls ? " secure;" : "") < 1)
 	{
 	  http->status = HTTP_STATUS_ERROR;
+	  if (ptr)
+	    *ptr = '\n';
 	  return (false);
 	}
-      }
-      else if (httpPrintf(http, "Set-Cookie: %s; path=/; httponly;%s\r\n", http->cookie, http->tls ? " secure;" : "") < 1)
-      {
-	http->status = HTTP_STATUS_ERROR;
-	return (false);
-      }
-    }
 
-    // "Click-jacking" defense...
-    if (httpPrintf(http, "X-Frame-Options: DENY\r\nContent-Security-Policy: frame-ancestors 'none'\r\n") < 1)
-    {
-      http->status = HTTP_STATUS_ERROR;
-      return (false);
+	if (ptr)
+	  *ptr++ = '\n';
+      }
     }
   }
 
diff --git a/doc/cupspm.epub b/doc/cupspm.epub
diff --git a/doc/cupspm.html b/doc/cupspm.html
@@ -7782,7 +7782,7 @@ <h4 class="discussion">Discussion</h4>
 client.  The value returned can be use in subsequent requests (for clients)
 or in the response (for servers) in order to compress the content stream.</p>
 <h3 class="function"><a id="httpGetCookie">httpGetCookie</a></h3>
-<p class="description">Get &quot;Cookie:&quot; data from the HTTP connection.</p>
+<p class="description">Get cookie data from the HTTP connection.</p>
 <p class="code">
 <span class="reserved">const</span> <span class="reserved">char</span> *httpGetCookie(<a href="#http_t">http_t</a> *http);</p>
 <h4 class="parameters">Parameters</h4>
@@ -7793,9 +7793,9 @@ <h4 class="parameters">Parameters</h4>
 <h4 class="returnvalue">Return Value</h4>
 <p class="description">Cookie data or <code>NULL</code></p>
 <h4 class="discussion">Discussion</h4>
-<p class="discussion">This function returns any HTTP &quot;Cookie:&quot; header data for the given HTTP
-connection as described in RFC 6265.  Use the <a href="#httpGetCookieValue"><code>httpGetCookieValue</code></a> to
-get the value of a named cookie.</p>
+<p class="discussion">This function returns any HTTP &quot;Set-Cookie:&quot; or &quot;Cookie:&quot; header data for the
+given HTTP connection as described in RFC 6265.  Use the
+<a href="#httpGetCookieValue"><code>httpGetCookieValue</code></a> to get the value of a named &quot;Cookie:&quot; value.</p>
 <h3 class="function"><a id="httpGetCookieValue">httpGetCookieValue</a></h3>
 <p class="description">Get the value of a named cookie from the HTTP connection.</p>
 <p class="code">
@@ -8295,7 +8295,7 @@ <h4 class="discussion">Discussion</h4>
 or writing data.  The &quot;http&quot; argument specifies the HTTP connection and the
 &quot;blocking&quot; argument specifies whether to use blocking behavior.</p>
 <h3 class="function"><a id="httpSetCookie">httpSetCookie</a></h3>
-<p class="description">Set the cookie value(s).</p>
+<p class="description">Add Set-Cookie value(s).</p>
 <p class="code">
 <span class="reserved">void</span> httpSetCookie(<a href="#http_t">http_t</a> *http, <span class="reserved">const</span> <span class="reserved">char</span> *cookie);</p>
 <h4 class="parameters">Parameters</h4>
@@ -8305,6 +8305,13 @@ <h4 class="parameters">Parameters</h4>
 <tr><th>cookie</th>
 <td class="description">Cookie string</td></tr>
 </tbody></table>
+<h4 class="discussion">Discussion</h4>
+<p class="discussion">This function adds one or more Set-Cookie header values that will be sent to
+the client with the <a href="#httpWriteResponse"><code>httpWriteResponse</code></a> function.  Each value conforms
+to the format defined in RFC 6265.  Multiple values can be passed in the
+&quot;cookie&quot; string separated by a newline character.<br>
+<br>
+Call the <a href="#httpClearCookies"><code>httpClearCookies</code></a> function to clear all Set-Cookie values.</p>
 <h3 class="function"><a id="httpSetDefaultField">httpSetDefaultField</a></h3>
 <p class="description">Set the default value of a HTTP header.</p>
 <p class="code">
