tests/data/test414 - third_party/curl - Git at Google

 <testcase>
 <info>
 <keywords>
 HTTP
 cookies
 --resolve
 </keywords>
 </info>

 #
 # Server-side
 <reply>
 <data nocheck="yes">
 HTTP/1.1 301 OK
 Date: Tue, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake
 Content-Length: 6
 Set-Cookie: SESSIONID=originaltoken; secure
 Set-Cookie: second=originaltoken; secure; path=/a
 Location: http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER0002

 -foo-
 </data>

 <data2>
 HTTP/1.1 301 OK
 Date: Tue, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake
 Content-Length: 6
 Set-Cookie: SESSIONID=hacker; domain=attack.invalid;
 Set-Cookie: second=replacement; path=/a/b
 Location: https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER0003

 -foo-
 </data2>

 <data3>
 HTTP/1.1 200 OK
 Date: Tue, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake
 Content-Length: 6

 -foo-
 </data3>
 </reply>

 #
 # Client-side
 <client>
 <server>
 http
 https
 </server>
 <name>
 HTTPS sec-cookie, HTTP redirect, same name cookie, redirect back
 </name>
 <command>
 https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER -k -c %LOGDIR/cookie%TESTNUMBER --resolve attack.invalid:%HTTPSPORT:%HOSTIP --resolve attack.invalid:%HTTPPORT:%HOSTIP -L
 </command>
 </client>

 #
 # Verify data after the test has been "shot"
 <verify>
 <protocol>
 GET /a/b/%TESTNUMBER HTTP/1.1
 Host: attack.invalid:%HTTPSPORT
 User-Agent: curl/%VERSION
 Accept: */*

 GET /a/b/%TESTNUMBER0002 HTTP/1.1
 Host: attack.invalid:%HTTPPORT
 User-Agent: curl/%VERSION
 Accept: */*

 GET /a/b/%TESTNUMBER0003 HTTP/1.1
 Host: attack.invalid:%HTTPSPORT
 User-Agent: curl/%VERSION
 Accept: */*
 Cookie: SESSIONID=originaltoken; second=originaltoken

 </protocol>
 </verify>
 </testcase>
	<testcase>
	<info>
	<keywords>
	HTTP
	cookies
	--resolve
	</keywords>
	</info>

	#
	# Server-side
	<reply>
	<data nocheck="yes">
	HTTP/1.1 301 OK
	Date: Tue, 09 Nov 2010 14:49:00 GMT
	Server: test-server/fake
	Content-Length: 6
	Set-Cookie: SESSIONID=originaltoken; secure
	Set-Cookie: second=originaltoken; secure; path=/a
	Location: http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER0002

	-foo-
	</data>

	<data2>
	HTTP/1.1 301 OK
	Date: Tue, 09 Nov 2010 14:49:00 GMT
	Server: test-server/fake
	Content-Length: 6
	Set-Cookie: SESSIONID=hacker; domain=attack.invalid;
	Set-Cookie: second=replacement; path=/a/b
	Location: https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER0003

	-foo-
	</data2>

	<data3>
	HTTP/1.1 200 OK
	Date: Tue, 09 Nov 2010 14:49:00 GMT
	Server: test-server/fake
	Content-Length: 6

	-foo-
	</data3>
	</reply>

	#
	# Client-side
	<client>
	<server>
	http
	https
	</server>
	<name>
	HTTPS sec-cookie, HTTP redirect, same name cookie, redirect back
	</name>
	<command>
	https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER -k -c %LOGDIR/cookie%TESTNUMBER --resolve attack.invalid:%HTTPSPORT:%HOSTIP --resolve attack.invalid:%HTTPPORT:%HOSTIP -L
	</command>
	</client>

	#
	# Verify data after the test has been "shot"
	<verify>
	<protocol>
	GET /a/b/%TESTNUMBER HTTP/1.1
	Host: attack.invalid:%HTTPSPORT
	User-Agent: curl/%VERSION
	Accept: /

	GET /a/b/%TESTNUMBER0002 HTTP/1.1
	Host: attack.invalid:%HTTPPORT
	User-Agent: curl/%VERSION
	Accept: /

	GET /a/b/%TESTNUMBER0003 HTTP/1.1
	Host: attack.invalid:%HTTPSPORT
	User-Agent: curl/%VERSION
	Accept: /
	Cookie: SESSIONID=originaltoken; second=originaltoken

	</protocol>
	</verify>
	</testcase>