diff options
author | Tim Ruehsen <tim.ruehsen@gmx.de> | 2014-08-19 21:01:28 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2014-09-10 07:32:36 +0200 |
commit | 8a75dbeb2305297640453029b7905ef51b87e8dd (patch) | |
tree | bcde17d8f36ceb90239db5eaa8f2dcb412875e66 /lib/asyn-ares.c | |
parent | 1ccfabb66d9fab9bc99b68d558692ddacbb587f4 (diff) |
cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.
CVE-2014-3613
Bug: http://curl.haxx.se/docs/adv_20140910A.html
Diffstat (limited to 'lib/asyn-ares.c')
0 files changed, 0 insertions, 0 deletions