aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2014-08-19 21:11:20 +0200
committerDaniel Stenberg <daniel@haxx.se>2014-09-10 07:32:36 +0200
commita76825a5efa6b41d3a1d4f275dada2f017f6f566 (patch)
treec1c48922e1b81e969a27a119793e6b27a2beae5f
parent8a75dbeb2305297640453029b7905ef51b87e8dd (diff)
cookies: reject incoming cookies set for TLDs
Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.html
-rw-r--r--lib/cookie.c6
-rw-r--r--tests/data/test611
2 files changed, 7 insertions, 0 deletions
diff --git a/lib/cookie.c b/lib/cookie.c
index 46904ac57..375485f54 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data,
}
else if(Curl_raw_equal("domain", name)) {
bool is_ip;
+ const char *dotp;
/* Now, we make sure that our host is within the given domain,
or the given domain is not valid and thus cannot be set. */
@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data,
is_ip = isip(domain ? domain : whatptr);
+ /* check for more dots */
+ dotp = strchr(whatptr, '.');
+ if(!dotp)
+ domain=":";
+
if(!domain
|| (is_ip && !strcmp(whatptr, domain))
|| (!is_ip && tailmatch(whatptr, domain))) {
diff --git a/tests/data/test61 b/tests/data/test61
index d2de2790a..e6dbbb901 100644
--- a/tests/data/test61
+++ b/tests/data/test61
@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure
Set-Cookie: test5=name; domain=anything.com; path=/ ; secure
Set-Cookie: fake=fooledyou; domain=..com; path=/;
+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
Content-Length: 4
boo