Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
OS-2156 handle curl CVE-2013-1944
- Loading branch information
Showing
1 changed file
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001 | ||
From: YAMADA Yasuharu <yasuharu.yamada@access-company.com> | ||
Date: Thu, 11 Apr 2013 00:17:15 +0200 | ||
Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage | ||
|
||
Cookies set for 'example.com' could accidentaly also be sent by libcurl | ||
to the 'bexample.com' (ie with a prefix to the first domain name). | ||
|
||
This is a security vulnerabilty, CVE-2013-1944. | ||
|
||
Bug: http://curl.haxx.se/docs/adv_20130412.html | ||
--- | ||
lib/cookie.c | 24 +++++++++++++++++++----- | ||
1 file changed, 19 insertions(+), 5 deletions(-) | ||
|
||
diff --git a/lib/cookie.c b/lib/cookie.c | ||
index 4b9ec0b..a67204e 100644 | ||
--- a/lib/cookie.c | ||
+++ b/lib/cookie.c | ||
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) | ||
free(co); | ||
} | ||
|
||
-static bool tailmatch(const char *little, const char *bigone) | ||
+static bool tailmatch(const char *cooke_domain, const char *hostname) | ||
{ | ||
- size_t littlelen = strlen(little); | ||
- size_t biglen = strlen(bigone); | ||
+ size_t cookie_domain_len = strlen(cooke_domain); | ||
+ size_t hostname_len = strlen(hostname); | ||
|
||
- if(littlelen > biglen) | ||
+ if(hostname_len < cookie_domain_len) | ||
return FALSE; | ||
|
||
- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; | ||
+ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) | ||
+ return FALSE; | ||
+ | ||
+ /* A lead char of cookie_domain is not '.'. | ||
+ RFC6265 4.1.2.3. The Domain Attribute says: | ||
+ For example, if the value of the Domain attribute is | ||
+ "example.com", the user agent will include the cookie in the Cookie | ||
+ header when making HTTP requests to example.com, www.example.com, and | ||
+ www.corp.example.com. | ||
+ */ | ||
+ if(hostname_len == cookie_domain_len) | ||
+ return TRUE; | ||
+ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) | ||
+ return TRUE; | ||
+ return FALSE; | ||
} | ||
|
||
/* | ||
-- | ||
1.7.10.4 | ||
|