From cbd4e1fa0dc77cd65ec09985e979a4be11b60096 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 27 Jan 2017 12:59:12 +0100 Subject: cookies: do not assume a valid domain has a dot This repairs cookies for localhost. Non-PSL builds will now only accept "localhost" without dots, while PSL builds okeys everything not listed as PSL. Added test 1258 to verify. This was a regression brought in a76825a5efa6b4 --- lib/cookie.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'lib/cookie.c') diff --git a/lib/cookie.c b/lib/cookie.c index 092a226f3..8a4b844fc 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -492,7 +492,6 @@ Curl_cookie_add(struct Curl_easy *data, } else if(strcasecompare("domain", name)) { bool is_ip; - const char *dotp; /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ @@ -500,12 +499,22 @@ Curl_cookie_add(struct Curl_easy *data, if('.' == whatptr[0]) whatptr++; /* ignore preceding dot */ - is_ip = isip(domain ? domain : whatptr); +#ifndef USE_LIBPSL + /* + * Without PSL we don't know when the incoming cookie is set on a + * TLD or otherwise "protected" suffix. To reduce risk, we require a + * dot OR the exact host name being "localhost". + */ + { + const char *dotp; + /* check for more dots */ + dotp = strchr(whatptr, '.'); + if(!dotp && !strcasecompare("localhost", whatptr)) + domain=":"; + } +#endif - /* check for more dots */ - dotp = strchr(whatptr, '.'); - if(!dotp) - domain=":"; + is_ip = isip(domain ? domain : whatptr); if(!domain || (is_ip && !strcmp(whatptr, domain)) -- cgit v1.2.3