From a67a56ec8597c297a40c1dd4f9812ab2be3ab930 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 5 Oct 2022 09:12:39 +0200 Subject: [PATCH 1/3] cookie: reject cookie names or content with TAB characters TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)" Cookies with TABs in the names are rejected by Firefox and Chrome. TABs in content are stripped out by Firefox, while Chrome discards the whole cookie. TABs in cookies also cause issues in saved netscape cookie files. Reported-by: Trail of Bits --- lib/cookie.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/cookie.c b/lib/cookie.c index ab790a1cdb0cea..7f23b417b72d03 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -538,7 +538,7 @@ Curl_cookie_add(struct Curl_easy *data, do { /* we have a = pair or a stand-alone word here */ name[0] = what[0] = 0; /* init the buffers */ - if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%" + if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\t\r\n=] =%" MAX_NAME_TXT "[^;\r\n]", name, what)) { /* @@ -592,6 +592,13 @@ Curl_cookie_add(struct Curl_easy *data, while(*whatptr && ISBLANK(*whatptr)) whatptr++; + /* Reject cookies with a TAB inside the content */ + if(strchr(whatptr, '\t')) { + freecookie(co); + infof(data, "cookie contains TAB, dropping"); + return NULL; + } + /* * Check if we have a reserved prefix set before anything else, as we * otherwise have to test for the prefix in both the cookie name and From f16194274e1a0631e545460c61f1ab23c96c29ea Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 6 Oct 2022 14:39:51 +0200 Subject: [PATCH 2/3] test1105: extend to verify TAB in name/content discarding cookies --- tests/data/test1105 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/data/test1105 b/tests/data/test1105 index a06a0517378fa2..21a8b52292fd61 100644 --- a/tests/data/test1105 +++ b/tests/data/test1105 @@ -19,6 +19,9 @@ Funny-head: yesyes swsclose Set-Cookie: foobar=name; Set-Cookie: mismatch=this; domain=127.0.0.1; path="/silly/"; Set-Cookie: partmatch=present; domain=.0.0.1; path=/; +Set-Cookie: foo bar=barfoo +Set-Cookie: bar foo= +Set-Cookie: bar=foo bar From 64ee510d4ee66c421ff7245d132349bfb10f6093 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 6 Oct 2022 17:39:49 +0200 Subject: [PATCH 3/3] test8: update as cookies no longer can have "embedded" TABs in content --- tests/data/test8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/data/test8 b/tests/data/test8 index 858761159aa0d0..fa44a5a6aa27a5 100644 --- a/tests/data/test8 +++ b/tests/data/test8 @@ -54,7 +54,7 @@ Set-Cookie: cookie5=%hex[%05-junk]hex% Set-Cookie: cookie6=%hex[%06-junk]hex% Set-Cookie: cookie7=%hex[%07-junk]hex% Set-Cookie: cookie8=%hex[%08-junk]hex% -Set-Cookie: cookie9=%hex[junk-%09-]hex% +Set-Cookie: cookie9=%hex[junk--%09]hex% Set-Cookie: cookie11=%hex[%0b-junk]hex% Set-Cookie: cookie12=%hex[%0c-junk]hex% Set-Cookie: cookie14=%hex[%0e-junk]hex% @@ -90,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 Host: %HOSTIP:%HTTPPORT User-Agent: curl/%VERSION Accept: */* -Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - +Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk--