Skip to content

Commit 2eb8dcf

Browse files
aYasuharuYamadabagder
authored andcommitted
cookie: fix tailmatching to prevent cross-domain leakage
Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). This is a security vulnerabilty, CVE-2013-1944. Bug: http://curl.haxx.se/docs/adv_20130412.html
1 parent 96ffe64 commit 2eb8dcf

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

Diff for: lib/cookie.c

+19-5
Original file line numberDiff line numberDiff line change
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)
118118
free(co);
119119
}
120120

121-
static bool tailmatch(const char *little, const char *bigone)
121+
static bool tailmatch(const char *cooke_domain, const char *hostname)
122122
{
123-
size_t littlelen = strlen(little);
124-
size_t biglen = strlen(bigone);
123+
size_t cookie_domain_len = strlen(cooke_domain);
124+
size_t hostname_len = strlen(hostname);
125125

126-
if(littlelen > biglen)
126+
if(hostname_len < cookie_domain_len)
127127
return FALSE;
128128

129-
return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
129+
if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
130+
return FALSE;
131+
132+
/* A lead char of cookie_domain is not '.'.
133+
RFC6265 4.1.2.3. The Domain Attribute says:
134+
For example, if the value of the Domain attribute is
135+
"example.com", the user agent will include the cookie in the Cookie
136+
header when making HTTP requests to example.com, www.example.com, and
137+
www.corp.example.com.
138+
*/
139+
if(hostname_len == cookie_domain_len)
140+
return TRUE;
141+
if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
142+
return TRUE;
143+
return FALSE;
130144
}
131145

132146
/*

0 commit comments

Comments
 (0)