Commit a76825a5 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

cookies: reject incoming cookies set for TLDs 

Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html
parent 8a75dbeb

lib/cookie.c

+6 −0
Original line number Diff line number Diff line
@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data, 
        }

        else if(Curl_raw_equal("domain", name)) {

          bool is_ip;

          const char *dotp;



          /* Now, we make sure that our host is within the given domain,

             or the given domain is not valid and thus cannot be set. */
@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data, 


          is_ip = isip(domain ? domain : whatptr);



          /* check for more dots */

          dotp = strchr(whatptr, '.');

          if(!dotp)

            domain=":";



          if(!domain

             || (is_ip && !strcmp(whatptr, domain))

             || (!is_ip && tailmatch(whatptr, domain))) {

tests/data/test61

+1 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure 
Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure

Set-Cookie: test5=name; domain=anything.com; path=/ ; secure

Set-Cookie: fake=fooledyou; domain=..com; path=/;

Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M

Content-Length: 4



boo