cookies: reject incoming cookies set for TLDs

Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html

diff --git a/lib/cookie.c b/lib/cookie.c
index 46904ac57f7de74d2b8387bea59e219545d7264d..375485f54ec33f883c35eaf796e550c9ee377638 100644 (file)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -463,6 +463,7 @@ Curl_cookie_add(struct SessionHandle *data,
         }
         else if(Curl_raw_equal("domain", name)) {
           bool is_ip;
+          const char *dotp;
 
           /* Now, we make sure that our host is within the given domain,
              or the given domain is not valid and thus cannot be set. */
@@ -472,6 +473,11 @@ Curl_cookie_add(struct SessionHandle *data,
 
           is_ip = isip(domain ? domain : whatptr);
 
+          /* check for more dots */
+          dotp = strchr(whatptr, '.');
+          if(!dotp)
+            domain=":";
+
           if(!domain
              || (is_ip && !strcmp(whatptr, domain))
              || (!is_ip && tailmatch(whatptr, domain))) {

diff --git a/tests/data/test61 b/tests/data/test61
index d2de2790a7d054783ce2223df8e5c655c530702d..e6dbbb901c0bcffe9417e17bf25f83d4e2edabbd 100644 (file)
--- a/tests/data/test61
+++ b/tests/data/test61
@@ -23,6 +23,7 @@ Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure
 Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure\r
 Set-Cookie: test5=name; domain=anything.com; path=/ ; secure\r
 Set-Cookie: fake=fooledyou; domain=..com; path=/;\r
+Set-Cookie: supercookie=fooledyou; domain=.com; path=/;^M
 Content-Length: 4\r
 \r
 boo