blob: 235be900a3c3ec39319e6672faaaa5b204d52503 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 16:47:06 +0200
Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine
The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.
CVE-2022-27779
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.html
Closes #8820
Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
lib/cookie.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index d418efa..1b8c8f9 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
/* Make sure domain contains a dot or is localhost. */
static bool bad_domain(const char *domain)
{
- return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+ if(strcasecompare(domain, "localhost"))
+ return FALSE;
+ else {
+ /* there must be a dot present, but that dot must not be a trailing dot */
+ char *dot = strchr(domain, '.');
+ if(dot)
+ return dot[1] ? FALSE : TRUE;
+ }
+ return TRUE;
}
/*
|
