From 49465fffdb37b91ee5a0ad2601ea9657e5cd8915 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 23 Dec 2010 22:52:32 +0100 Subject: [PATCH] cookies: tricked dotcounter fixed Providing multiple dots in a series in the domain field (domain=..com) could trick the cookie engine to wrongly accept the cookie believing it to be fine. Since the tailmatching would then match all .com sites, the cookie would then be sent to all of them. The code now requires at least one letter between each dot for them to be counted. Edited test case 61 to verify this. --- lib/cookie.c | 12 +++++++----- tests/data/test61 | 1 + 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/cookie.c b/lib/cookie.c index c6460a100..d40cbb8f8 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -270,6 +270,7 @@ Curl_cookie_add(struct SessionHandle *data, we don't care about that, we treat the names the same anyway */ const char *domptr=whatptr; + const char *nextptr; int dotcount=1; /* Count the dots, we need to make sure that there are enough @@ -280,12 +281,13 @@ Curl_cookie_add(struct SessionHandle *data, domptr++; do { - domptr = strchr(domptr, '.'); - if(domptr) { - domptr++; - dotcount++; + nextptr = strchr(domptr, '.'); + if(nextptr) { + if(domptr != nextptr) + dotcount++; + domptr = nextptr+1; } - } while(domptr); + } while(nextptr); /* The original Netscape cookie spec defined that this domain name MUST have three dots (or two if one of the seven holy TLDs), diff --git a/tests/data/test61 b/tests/data/test61 index f2a6a4ee7..da05616c1 100644 --- a/tests/data/test61 +++ b/tests/data/test61 @@ -22,6 +22,7 @@ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035 Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure Set-Cookie: test5=name; domain=anything.com; path=/ ; secure +Set-Cookie: fake=fooledyou; domain=..com; path=/; Content-Length: 4 boo -- 2.40.0