aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Gustafsson <daniel@yesql.se>2018-12-19 20:59:09 +0100
committerDaniel Gustafsson <daniel@yesql.se>2018-12-19 20:59:09 +0100
commit3773de378d48b06c09931e44dca4d274d0bfdce0 (patch)
treeefe71a59c1f0012494e1fd5f92c5011eee56d637
parent462037ad487c0457451e66afd0cb50a9f70c0c28 (diff)
cookies: extend domain checks to non psl builds
Ensure to perform the checks we have to enforce a sane domain in the cookie request. The check for non-PSL enabled builds is quite basic but it's better than nothing. Closes #2964 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-rw-r--r--lib/cookie.c13
-rw-r--r--tests/data/test81
2 files changed, 9 insertions, 5 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index bc0ab0dfe..f52c30840 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -803,6 +803,8 @@ Curl_cookie_add(struct Curl_easy *data,
co->domain = strdup(ptr);
if(!co->domain)
badcookie = TRUE;
+ else if(bad_domain(co->domain))
+ badcookie = TRUE;
break;
case 1:
/* This field got its explanation on the 23rd of May 2001 by
@@ -906,18 +908,20 @@ Curl_cookie_add(struct Curl_easy *data,
if(!noexpire)
remove_expired(c);
-#ifdef USE_LIBPSL
- /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
if(domain && co->domain && !isip(co->domain)) {
- const psl_ctx_t *psl = Curl_psl_use(data);
int acceptable;
+#ifdef USE_LIBPSL
+ const psl_ctx_t *psl = Curl_psl_use(data);
+ /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
if(psl) {
acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
Curl_psl_release(data);
}
else
- acceptable = !bad_domain(domain);
+#endif
+ /* Without libpsl, do the best we can. */
+ acceptable = !bad_domain(co->domain);
if(!acceptable) {
infof(data, "cookie '%s' dropped, domain '%s' must not "
@@ -926,7 +930,6 @@ Curl_cookie_add(struct Curl_easy *data,
return NULL;
}
}
-#endif
myhash = cookiehash(co->domain);
clist = c->cookies[myhash];
diff --git a/tests/data/test8 b/tests/data/test8
index 2fc190060..e6d0f500e 100644
--- a/tests/data/test8
+++ b/tests/data/test8
@@ -46,6 +46,7 @@ Set-Cookie: trailingspace = removed; path=/we/want;
Set-Cookie: nocookie=yes; path=/WE;
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
Set-Cookie: partialip=nono; domain=.0.0.1;
+Set-Cookie: chocolate=chip; domain=curl; path=/we/want;
</file>
<precheck>