Skip to content
Permalink
Browse files

cookie: fix tailmatching to prevent cross-domain leakage

Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).

This is a security vulnerabilty, CVE-2013-1944.

Bug: http://curl.haxx.se/docs/adv_20130412.html
  • Loading branch information...
aYasuharuYamada authored and bagder committed Apr 10, 2013
1 parent 96ffe64 commit 2eb8dcf26cb37f09cffe26909a646e702dbcab66
Showing with 19 additions and 5 deletions.
  1. +19 −5 lib/cookie.c
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)
free(co);
}

static bool tailmatch(const char *little, const char *bigone)
static bool tailmatch(const char *cooke_domain, const char *hostname)
{
size_t littlelen = strlen(little);
size_t biglen = strlen(bigone);
size_t cookie_domain_len = strlen(cooke_domain);
size_t hostname_len = strlen(hostname);

if(littlelen > biglen)
if(hostname_len < cookie_domain_len)
return FALSE;

return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
return FALSE;

/* A lead char of cookie_domain is not '.'.
RFC6265 4.1.2.3. The Domain Attribute says:
For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com.
*/
if(hostname_len == cookie_domain_len)
return TRUE;
if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
return TRUE;
return FALSE;
}

/*

0 comments on commit 2eb8dcf

Please sign in to comment.
You can’t perform that action at this time.