Skip to content
Browse files

cookie: fix tailmatching to prevent cross-domain leakage

Cookies set for '' could accidentaly also be sent by libcurl
to the '' (ie with a prefix to the first domain name).

This is a security vulnerabilty, CVE-2013-1944.

  • Loading branch information...
aYasuharuYamada authored and bagder committed Apr 10, 2013
1 parent 96ffe64 commit 2eb8dcf26cb37f09cffe26909a646e702dbcab66
Showing with 19 additions and 5 deletions.
  1. +19 −5 lib/cookie.c
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)

static bool tailmatch(const char *little, const char *bigone)
static bool tailmatch(const char *cooke_domain, const char *hostname)
size_t littlelen = strlen(little);
size_t biglen = strlen(bigone);
size_t cookie_domain_len = strlen(cooke_domain);
size_t hostname_len = strlen(hostname);

if(littlelen > biglen)
if(hostname_len < cookie_domain_len)
return FALSE;

return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
return FALSE;

/* A lead char of cookie_domain is not '.'.
RFC6265 The Domain Attribute says:
For example, if the value of the Domain attribute is
"", the user agent will include the cookie in the Cookie
header when making HTTP requests to,, and
if(hostname_len == cookie_domain_len)
return TRUE;
if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
return TRUE;
return FALSE;


0 comments on commit 2eb8dcf

Please sign in to comment.
You can’t perform that action at this time.