cookie: fix tailmatching to prevent cross-domain leakage
Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). This is a security vulnerabilty, CVE-2013-1944. Bug: http://curl.haxx.se/docs/adv_20130412.html
This commit is contained in:
		 YAMADA Yasuharu
					YAMADA Yasuharu
				
			
				
					committed by
					
						 Daniel Stenberg
						Daniel Stenberg
					
				
			
			
				
	
			
			
			 Daniel Stenberg
						Daniel Stenberg
					
				
			
						parent
						
							96ffe645fd
						
					
				
				
					commit
					2eb8dcf26c
				
			
							
								
								
									
										24
									
								
								lib/cookie.c
									
									
									
									
									
								
							
							
						
						
									
										24
									
								
								lib/cookie.c
									
									
									
									
									
								
							| @@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) | ||||
|   free(co); | ||||
| } | ||||
|  | ||||
| static bool tailmatch(const char *little, const char *bigone) | ||||
| static bool tailmatch(const char *cooke_domain, const char *hostname) | ||||
| { | ||||
|   size_t littlelen = strlen(little); | ||||
|   size_t biglen = strlen(bigone); | ||||
|   size_t cookie_domain_len = strlen(cooke_domain); | ||||
|   size_t hostname_len = strlen(hostname); | ||||
|  | ||||
|   if(littlelen > biglen) | ||||
|   if(hostname_len < cookie_domain_len) | ||||
|     return FALSE; | ||||
|  | ||||
|   return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; | ||||
|   if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) | ||||
|     return FALSE; | ||||
|  | ||||
|   /* A lead char of cookie_domain is not '.'. | ||||
|      RFC6265 4.1.2.3. The Domain Attribute says: | ||||
|        For example, if the value of the Domain attribute is | ||||
|        "example.com", the user agent will include the cookie in the Cookie | ||||
|        header when making HTTP requests to example.com, www.example.com, and | ||||
|        www.corp.example.com. | ||||
|    */ | ||||
|   if(hostname_len == cookie_domain_len) | ||||
|     return TRUE; | ||||
|   if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) | ||||
|     return TRUE; | ||||
|   return FALSE; | ||||
| } | ||||
|  | ||||
| /* | ||||
|   | ||||
		Reference in New Issue
	
	Block a user