Commit 5c5e1a1c authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

test1218: another cookie tailmatch test 

... and make 1216 also verify it with a file input

These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
domain tailmatch" vulnerability. See
http://curl.haxx.se/docs/adv_20130412.html
parent 2eb8dcf2

tests/data/Makefile.am

+1 −1
Original line number Diff line number Diff line
@@ -89,7 +89,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 \ 
\

test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \

test1216 test1217 \

test1216 test1217 test1218 \

test1220 test1221 test1222 test1223 \

\

test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \

tests/data/test1216

+2 −1
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOST 
example.fake	FALSE	/a	FALSE	2139150993	mooo	indeed

example.fake	FALSE	/b	FALSE	0		moo1	indeed

example.fake	FALSE	/c	FALSE	2139150993	moo2	indeed

example.fake	TRUE	/c	FALSE	2139150993	moo3	indeed

</file>

</client>
@@ -50,7 +51,7 @@ GET http://example.fake/c/1216 HTTP/1.1 
Host: example.fake

Accept: */*

Proxy-Connection: Keep-Alive

Cookie: moo2=indeed

Cookie: moo2=indeed; moo3=indeed



GET http://bexample.fake/c/1216 HTTP/1.1

Host: bexample.fake

tests/data/test1218

0 → 100644
+61 −0
Original line number Diff line number Diff line 
<testcase>

<info>

<keywords>

HTTP

HTTP GET

HTTP proxy

cookies

</keywords>

</info>



# This test is very similar to 1216, only that it sets the cookies from the

# first site instead of reading from a file

<reply>

<data>

HTTP/1.1 200 OK

Date: Tue, 25 Sep 2001 19:37:44 GMT

Set-Cookie: domain=.example.fake; bug=fixed;

Content-Length: 21



This server says moo

</data>

</reply>



# Client-side

<client>

<server>

http

</server>

 <name>

HTTP cookies and domains with same prefix

 </name>

 <command>

http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT

</command>

</client>



# Verify data after the test has been "shot"

<verify>

<strip>

^User-Agent:.*

</strip>

<protocol>

GET http://example.fake/c/1218 HTTP/1.1

Host: example.fake

Accept: */*

Proxy-Connection: Keep-Alive



GET http://example.fake/c/1218 HTTP/1.1

Host: example.fake

Accept: */*

Proxy-Connection: Keep-Alive

Cookie: bug=fixed



GET http://bexample.fake/c/1218 HTTP/1.1

Host: bexample.fake

Accept: */*

Proxy-Connection: Keep-Alive



</protocol>

</verify>

</testcase>