|
1 From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001 |
|
2 From: YAMADA Yasuharu <[email protected]> |
|
3 Date: Thu, 11 Apr 2013 00:17:15 +0200 |
|
4 Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage |
|
5 |
|
6 Cookies set for 'example.com' could accidentaly also be sent by libcurl |
|
7 to the 'bexample.com' (ie with a prefix to the first domain name). |
|
8 |
|
9 This is a security vulnerabilty, CVE-2013-1944. |
|
10 |
|
11 Bug: http://curl.haxx.se/docs/adv_20130412.html |
|
12 |
|
13 --- lib/cookie.c.orig 2013-11-18 14:05:59.517749330 -0800 |
|
14 +++ lib/cookie.c 2013-11-18 14:08:09.852442022 -0800 |
|
15 @@ -122,15 +122,29 @@ |
|
16 free(co); |
|
17 } |
|
18 |
|
19 -static bool tailmatch(const char *little, const char *bigone) |
|
20 +static bool tailmatch(const char *cooke_domain, const char *hostname) |
|
21 { |
|
22 - size_t littlelen = strlen(little); |
|
23 - size_t biglen = strlen(bigone); |
|
24 + size_t cookie_domain_len = strlen(cooke_domain); |
|
25 + size_t hostname_len = strlen(hostname); |
|
26 |
|
27 - if(littlelen > biglen) |
|
28 + if(hostname_len < cookie_domain_len) |
|
29 return FALSE; |
|
30 |
|
31 - return (bool)Curl_raw_equal(little, bigone+biglen-littlelen); |
|
32 + if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) |
|
33 + return FALSE; |
|
34 + |
|
35 + /* A lead char of cookie_domain is not '.'. |
|
36 + RFC6265 4.1.2.3. The Domain Attribute says: |
|
37 + For example, if the value of the Domain attribute is |
|
38 + "example.com", the user agent will include the cookie in the Cookie |
|
39 + header when making HTTP requests to example.com, www.example.com, and |
|
40 + www.corp.example.com. |
|
41 + */ |
|
42 + if(hostname_len == cookie_domain_len) |
|
43 + return TRUE; |
|
44 + if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) |
|
45 + return TRUE; |
|
46 + return FALSE; |
|
47 } |
|
48 |
|
49 /* |