From 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Thu, 13 Dec 2018 09:57:58 +0100 Subject: cookies: leave secure cookies alone Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg --- tests/data/Makefile.inc | 2 +- tests/data/test1155 | 4 +-- tests/data/test1561 | 86 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/data/test31 | 18 ----------- tests/data/test61 | 1 - 5 files changed, 89 insertions(+), 22 deletions(-) create mode 100644 tests/data/test1561 (limited to 'tests/data') diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index dd38f8964..250aa2004 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -176,7 +176,7 @@ test1533 test1534 test1535 test1536 test1537 test1538 \ test1540 \ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ \ -test1560 \ +test1560 test1561 \ \ test1590 \ test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \ diff --git a/tests/data/test1155 b/tests/data/test1155 index 9bf325460..3db824d58 100644 --- a/tests/data/test1155 +++ b/tests/data/test1155 @@ -14,7 +14,7 @@ cookies HTTP/1.1 200 OK Date: Thu, 09 Nov 2010 14:49:00 GMT Content-Length: 0 -Set-Cookie: domain=value;secure;path=/ +Set-Cookie: domain=value;path=/ @@ -48,7 +48,7 @@ Accept: */* # https://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. -127.0.0.1 FALSE / TRUE 0 domain value +127.0.0.1 FALSE / FALSE 0 domain value diff --git a/tests/data/test1561 b/tests/data/test1561 new file mode 100644 index 000000000..356dc94e4 --- /dev/null +++ b/tests/data/test1561 @@ -0,0 +1,86 @@ + + + +HTTPS +HTTP +HTTP GET +cookies +cookiejar +HTTP replaced headers + + + +# Server-side + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Set-Cookie: super=secret; domain=example.com; path=/1561; secure; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login/; secure; +Content-Length: 7 + +nomnom + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Set-Cookie: super=secret; domain=example.com; path=/1561; httponly; +Set-Cookie: super=secret; domain=example.com; path=/1561/; httponly; +Set-Cookie: super=secret; domain=example.com; path=/15; httponly; +Set-Cookie: public=yes; domain=example.com; path=/foo; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login/en; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login; +Set-Cookie: secureoverhttp=yes; domain=example.com; path=/1561; secure; +Content-Length: 7 + +nomnom + + + +# Client-side + + +SSL + + +http +https + + +HTTP + + +-k https://%HOSTIP:%HTTPSPORT/15610001 -L -c log/jar1561.txt -H "Host: www.example.com" http://%HOSTIP:%HTTPPORT/15610002 -L -c log/jar1561.txt -H "Host: www.example.com" + + + + +^User-Agent:.* + + +GET /15610001 HTTP/1.1 +Host: www.example.com +User-Agent: curl/7.62.0-DEV +Accept: */* + +GET /15610002 HTTP/1.1 +Host: www.example.com +User-Agent: curl/7.62.0-DEV +Accept: */* + + + +# Netscape HTTP Cookie File +# https://curl.haxx.se/docs/http-cookies.html +# This file was generated by libcurl! Edit at your own risk. + +.example.com TRUE /foo FALSE 0 public yes +.example.com TRUE /1561/login/ TRUE 0 supersuper secret +#HttpOnly_.example.com TRUE /15 FALSE 0 super secret + + + + + diff --git a/tests/data/test31 b/tests/data/test31 index 78f3766e9..58398c55d 100644 --- a/tests/data/test31 +++ b/tests/data/test31 @@ -100,7 +100,6 @@ Accept: */* # https://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. -127.0.0.1 FALSE /we/want/ TRUE 0 securewithspace after 127.0.0.1 FALSE /we/want/ FALSE 0 prespace yes before 127.0.0.1 FALSE /we/want/ FALSE 0 withspaces2 before equals 127.0.0.1 FALSE /we/want/ FALSE 0 withspaces yes within and around @@ -108,28 +107,11 @@ Accept: */* #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value 127.0.0.1 FALSE / FALSE 0 partmatch present -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3 -#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2 #HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1 #HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4 #HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3 #HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2 #HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1 -127.0.0.1 FALSE /secure9/ TRUE 0 secure very1 -127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8 -127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7 -127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6 -127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5 -127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4 -127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3 -127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2 -127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1 127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2 127.0.0.1 FALSE /silly/ FALSE 0 ismatch this diff --git a/tests/data/test61 b/tests/data/test61 index 784163fa9..2709f5112 100644 --- a/tests/data/test61 +++ b/tests/data/test61 @@ -65,7 +65,6 @@ Accept: */* # https://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. -.foo.com TRUE /moo TRUE 0 test3 maybe .host.foo.com TRUE /we/want/ FALSE 2054030187 test2 yes #HttpOnly_.foo.com TRUE /we/want/ FALSE 2054030187 test yes -- cgit v1.2.3