From fd7ae600adf23a9a1ed619165c5058bdec216e9c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 19 Aug 2014 21:11:20 +0200 Subject: [PATCH] cookies: reject incoming cookies set for TLDs Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.html Upstream-Status: Backport Signed-off-by: Chong Lu --- lib/cookie.c | 6 ++++++ tests/data/test61 | 1 + 2 files changed, 7 insertions(+) diff --git a/lib/cookie.c b/lib/cookie.c index 46904ac..375485f 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -461,19 +461,25 @@ Curl_cookie_add(struct SessionHandle *data, break; } } else if(Curl_raw_equal("domain", name)) { bool is_ip; + const char *dotp; /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ if('.' == whatptr[0]) whatptr++; /* ignore preceding dot */ is_ip = isip(domain ? domain : whatptr); + /* check for more dots */ + dotp = strchr(whatptr, '.'); + if(!dotp) + domain=":"; + if(!domain || (is_ip && !strcmp(whatptr, domain)) || (!is_ip && tailmatch(whatptr, domain))) { strstore(&co->domain, whatptr); if(!co->domain) { diff --git a/tests/data/test61 b/tests/data/test61 index d2de279..e6dbbb9 100644 --- a/tests/data/test61 +++ b/tests/data/test61 @@ -21,10 +21,11 @@ Set-Cookie: test=yes; httponly; domain=foo.com; expires=Fri Feb 2 11:56:27 GMT 2 SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035 Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure Set-Cookie: test5=name; domain=anything.com; path=/ ; secure Set-Cookie: fake=fooledyou; domain=..com; path=/; +Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M Content-Length: 4 boo -- 2.1.0