Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cookie: fix crash in netscape cookie parsing (take 2) #15826

Closed
wants to merge 1 commit into from

Conversation

jay
Copy link
Member

@jay jay commented Dec 24, 2024

  • Parse the input string without modifying it.

Prior to this change a segfault could occur if the input string was const because the tokenizer modified the input string. For example if the user set CURLOPT_COOKIELIST to a const string then libcurl would likely cause a crash when modifying that string. Even if the string was not const or a crash did not occur there was still the incorrect and unexpected modification of the user's input string.

This issue was caused by 30da1f5 (precedes 8.11.0) which refactored some options parsing and eliminated the copy of the input string. Also, an earlier commit f88cc65 incorrectly cast the input pointer when passing it to strtok.

Closes #xxxx


Alternate take of #15824

@bagder
Copy link
Member

bagder commented Dec 24, 2024

I created test 3104 that crashes before this fix and works fine with it: https://github.com/curl/curl/tree/bagder/cookielist-netscape. You can either merge it with your fix, or I can do a PR after. You decide.

@jay jay changed the title cookie: fix crash in netscape cookie parsing cookie: fix crash in netscape cookie parsing (take 2) Dec 26, 2024
- Tokenize the input string without modifying it.

Prior to this change a segfault could occur if the input string was
const because the tokenizer modified the input string. For example if
the user set CURLOPT_COOKIELIST to a const string then libcurl would
likely cause a crash when modifying that string. Even if the string was
not const or a crash did not occur there was still the incorrect and
unexpected modification of the user's input string.

This issue was caused by 30da1f5 (precedes 8.11.0) which refactored
some options parsing and eliminated the copy of the input string. Also,
an earlier commit f88cc65 incorrectly cast the input pointer when
passing it to strtok.

Co-authored-by: Daniel Stenberg

Closes #xxxx
@jay jay force-pushed the cookie_crash_take2 branch from ce0c76c to c721759 Compare December 26, 2024 20:54
@github-actions github-actions bot added the tests label Dec 26, 2024
@jay
Copy link
Member Author

jay commented Dec 26, 2024

I created test 3104 that crashes before this fix and works fine with it

Thanks. I added it and a Co-authored-by tag.

@testclutch
Copy link

Analysis of PR #15826 at c7217597:

Test 2203 failed, which has NOT been flaky recently, so there could be a real issue in this PR.

Generated by Testclutch

@jay jay closed this in 39e2179 Dec 27, 2024
@jay jay deleted the cookie_crash_take2 branch December 27, 2024 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

3 participants