diff options
| -rw-r--r-- | lib/cookie.c | 23 | ||||
| -rw-r--r-- | tests/data/Makefile.inc | 4 | ||||
| -rw-r--r-- | tests/data/test1258 | 54 |
3 files changed, 72 insertions, 9 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 092a226f3..8a4b844fc 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -492,7 +492,6 @@ Curl_cookie_add(struct Curl_easy *data, } else if(strcasecompare("domain", name)) { bool is_ip; - const char *dotp; /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ @@ -500,12 +499,22 @@ Curl_cookie_add(struct Curl_easy *data, if('.' == whatptr[0]) whatptr++; /* ignore preceding dot */ - is_ip = isip(domain ? domain : whatptr); +#ifndef USE_LIBPSL + /* + * Without PSL we don't know when the incoming cookie is set on a + * TLD or otherwise "protected" suffix. To reduce risk, we require a + * dot OR the exact host name being "localhost". + */ + { + const char *dotp; + /* check for more dots */ + dotp = strchr(whatptr, '.'); + if(!dotp && !strcasecompare("localhost", whatptr)) + domain=":"; + } +#endif - /* check for more dots */ - dotp = strchr(whatptr, '.'); - if(!dotp) - domain=":"; + is_ip = isip(domain ? domain : whatptr); if(!domain || (is_ip && !strcmp(whatptr, domain)) diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 471eb2510..b820982d7 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. +# Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -128,7 +128,7 @@ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \ -test1252 test1253 test1254 test1255 test1256 test1257 \ +test1252 test1253 test1254 test1255 test1256 test1257 test1258 \ \ test1280 test1281 test1282 \ \ diff --git a/tests/data/test1258 b/tests/data/test1258 new file mode 100644 index 000000000..6fa88e16e --- /dev/null +++ b/tests/data/test1258 @@ -0,0 +1,54 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP GET +HTTP replaced headers +cookies +httponly +</keywords> +</info> + +# Server-side +<reply> +<data> +HTTP/1.0 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Content-Type: text/html
+Set-Cookie: I-am=here; domain=localhost; +
+boo +</data> +</reply> + +# Client-side +<client> +<server> +http +</server> + <name> +HTTP, use cookies with localhost + </name> + <command> +http://%HOSTIP:%HTTPPORT/we/want/1258 http://%HOSTIP:%HTTPPORT/we/want?hoge=fuga -b non-existing -H "Host: localhost" +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /we/want/1258 HTTP/1.1
+Host: localhost
+Accept: */*
+
+GET /we/want?hoge=fuga HTTP/1.1
+Host: localhost
+Accept: */*
+Cookie: I-am=here
+
+</protocol> +</verify> +</testcase> |