From 9448ce9fd474d68bea96ac54c86255ebaebe7dfc Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Tue, 19 Aug 2014 21:11:20 +0200

Subject: [PATCH 2/2] cookies: reject incoming cookies set for TLDs

Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen

URL: http://curl.haxx.se/docs/adv_20140910B.html

Upstream-commit: a76825a5efa6b41d3a1d4f275dada2f017f6f566

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/cookie.c      | 6 ++++++

 tests/data/test61 | 1 +

 2 files changed, 7 insertions(+)

diff --git a/lib/cookie.c b/lib/cookie.c

index 46904ac..375485f 100644

--- a/lib/cookie.c

+++ b/lib/cookie.c

@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data,

         }

         else if(Curl_raw_equal("domain", name)) {

           bool is_ip;

+          const char *dotp;

           /* Now, we make sure that our host is within the given domain,

              or the given domain is not valid and thus cannot be set. */

@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data,

           is_ip = isip(domain ? domain : whatptr);

+          /* check for more dots */

+          dotp = strchr(whatptr, '.');

+          if(!dotp)

+            domain=":";

+

           if(!domain

              || (is_ip && !strcmp(whatptr, domain))

              || (!is_ip && tailmatch(whatptr, domain))) {

diff --git a/tests/data/test61 b/tests/data/test61

index d2de279..e6dbbb9 100644

--- a/tests/data/test61

+++ b/tests/data/test61

@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure

 Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure

 Set-Cookie: test5=name; domain=anything.com; path=/ ; secure

 Set-Cookie: fake=fooledyou; domain=..com; path=/;

+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M

 Content-Length: 4

 boo

-- 

2.1.0