Commit 2eb8dcf2 authored by Yamada Yasuharu's avatar Yamada Yasuharu Committed by Daniel Stenberg
Browse files

cookie: fix tailmatching to prevent cross-domain leakage 

Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).

This is a security vulnerabilty, CVE-2013-1944.

Bug: http://curl.haxx.se/docs/adv_20130412.html
parent 96ffe645

lib/cookie.c

+19 −5
Original line number Diff line number Diff line
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) 
  free(co);

}



static bool tailmatch(const char *little, const char *bigone)

static bool tailmatch(const char *cooke_domain, const char *hostname)

{

  size_t littlelen = strlen(little);

  size_t biglen = strlen(bigone);

  size_t cookie_domain_len = strlen(cooke_domain);

  size_t hostname_len = strlen(hostname);



  if(littlelen > biglen)

  if(hostname_len < cookie_domain_len)

    return FALSE;



  return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;

  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))

    return FALSE;



  /* A lead char of cookie_domain is not '.'.

     RFC6265 4.1.2.3. The Domain Attribute says:

       For example, if the value of the Domain attribute is

       "example.com", the user agent will include the cookie in the Cookie

       header when making HTTP requests to example.com, www.example.com, and

       www.corp.example.com.

   */

  if(hostname_len == cookie_domain_len)

    return TRUE;

  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))

    return TRUE;

  return FALSE;

}



/*