From ceab2ea8f0c0fc4c4be219240ccf99ddc2de7b22 Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <[email protected]>

Date: Tue, 19 Aug 2014 21:11:20 +0200

Subject: [PATCH 2/2] cookies: reject incoming cookies set for TLDs

Test 61 was modified to verify this.

Reported-by: Tim Ruehsen

---

 lib/cookie.c      | 6 ++++++

 tests/data/test61 | 1 +

 2 files changed, 7 insertions(+)

This problem has been fixed upstream in curl version 7.38.0

--- lib/cookie.c.orig	2014-09-04 10:48:44.170722741 -0700

+++ lib/cookie.c	2014-09-04 10:44:28.980086252 -0700

@@ -303,6 +303,7 @@

           }

           else if(Curl_raw_equal("domain", name)) {

             bool is_ip;

+            const char *dotp;

             /* note that this name may or may not have a preceeding dot, but

                we don't care about that, we treat the names the same anyway */

@@ -347,6 +348,11 @@

               is_ip = isip(domain ? domain : whatptr);

+              /* check for more dots */

+              dotp = strchr(whatptr, '.');

+              if(!dotp)

+                domain=":";

+

               if(!domain

                  || (is_ip && !strcmp(whatptr, domain))

                  || (!is_ip && tailmatch(whatptr, domain))) {

--- tests/data/test61.orig	2014-09-04 10:50:40.756783312 -0700

+++ tests/data/test61	2014-09-04 10:53:06.461671210 -0700

@@ -22,6 +22,8 @@

 Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure

 Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure

 Set-Cookie: test5=name; domain=anything.com; path=/ ; secure

+Set-Cookie: fake=fooledyou; domain=..com; path=/;

+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;

 Content-Length: 4

 boo