|
|
1f1f296 |
From 9448ce9fd474d68bea96ac54c86255ebaebe7dfc Mon Sep 17 00:00:00 2001
|
|
|
1f1f296 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
1f1f296 |
Date: Tue, 19 Aug 2014 21:11:20 +0200
|
|
|
1f1f296 |
Subject: [PATCH 2/2] cookies: reject incoming cookies set for TLDs
|
|
|
1f1f296 |
|
|
|
1f1f296 |
Test 61 was modified to verify this.
|
|
|
1f1f296 |
|
|
|
1f1f296 |
CVE-2014-3620
|
|
|
1f1f296 |
|
|
|
1f1f296 |
Reported-by: Tim Ruehsen
|
|
|
1f1f296 |
URL: http://curl.haxx.se/docs/adv_20140910B.html
|
|
|
1f1f296 |
Upstream-commit: a76825a5efa6b41d3a1d4f275dada2f017f6f566
|
|
|
1f1f296 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
1f1f296 |
---
|
|
|
1f1f296 |
lib/cookie.c | 6 ++++++
|
|
|
1f1f296 |
tests/data/test61 | 1 +
|
|
|
1f1f296 |
2 files changed, 7 insertions(+)
|
|
|
1f1f296 |
|
|
|
1f1f296 |
diff --git a/lib/cookie.c b/lib/cookie.c
|
|
|
1f1f296 |
index 46904ac..375485f 100644
|
|
|
1f1f296 |
--- a/lib/cookie.c
|
|
|
1f1f296 |
+++ b/lib/cookie.c
|
|
|
1f1f296 |
@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data,
|
|
|
1f1f296 |
}
|
|
|
1f1f296 |
else if(Curl_raw_equal("domain", name)) {
|
|
|
1f1f296 |
bool is_ip;
|
|
|
1f1f296 |
+ const char *dotp;
|
|
|
1f1f296 |
|
|
|
1f1f296 |
/* Now, we make sure that our host is within the given domain,
|
|
|
1f1f296 |
or the given domain is not valid and thus cannot be set. */
|
|
|
1f1f296 |
@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data,
|
|
|
1f1f296 |
|
|
|
1f1f296 |
is_ip = isip(domain ? domain : whatptr);
|
|
|
1f1f296 |
|
|
|
1f1f296 |
+ /* check for more dots */
|
|
|
1f1f296 |
+ dotp = strchr(whatptr, '.');
|
|
|
1f1f296 |
+ if(!dotp)
|
|
|
1f1f296 |
+ domain=":";
|
|
|
1f1f296 |
+
|
|
|
1f1f296 |
if(!domain
|
|
|
1f1f296 |
|| (is_ip && !strcmp(whatptr, domain))
|
|
|
1f1f296 |
|| (!is_ip && tailmatch(whatptr, domain))) {
|
|
|
1f1f296 |
diff --git a/tests/data/test61 b/tests/data/test61
|
|
|
1f1f296 |
index d2de279..e6dbbb9 100644
|
|
|
1f1f296 |
--- a/tests/data/test61
|
|
|
1f1f296 |
+++ b/tests/data/test61
|
|
|
1f1f296 |
@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
|
|
|
1f1f296 |
Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
|
|
|
1f1f296 |
Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
|
|
|
1f1f296 |
Set-Cookie: fake=fooledyou; domain=..com; path=/;
|
|
|
1f1f296 |
+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
|
|
|
1f1f296 |
Content-Length: 4
|
|
|
1f1f296 |
|
|
|
1f1f296 |
boo
|
|
|
1f1f296 |
--
|
|
|
1f1f296 |
2.1.0
|
|
|
1f1f296 |
|