From c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 23:26:13 +0200
Subject: cookies: getlist() now holds deep copies of all cookies

Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.

CVE-2016-8623

Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
---
 lib/http.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/http.c')

diff --git a/lib/http.c b/lib/http.c
index 65c145a13..e6e7d377a 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -2384,7 +2384,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
         }
         co = co->next; /* next cookie please */
       }
-      Curl_cookie_freelist(store, FALSE); /* free the cookie list */
+      Curl_cookie_freelist(store);
     }
     if(addcookies && !result) {
       if(!count)
-- 
cgit v1.2.3