| From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 9 May 2022 16:47:06 +0200 |
| Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine |
| |
| The check for a dot in the domain must not consider a single trailing |
| dot to be fine, as then TLD + trailing dot is fine and curl will accept |
| setting cookies for it. |
| |
| CVE-2022-27779 |
| |
| Reported-by: Axel Chong |
| Bug: https://curl.se/docs/CVE-2022-27779.html |
| Closes #8820 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/cookie.c | 10 +++++++++- |
| 1 file changed, 9 insertions(+), 1 deletion(-) |
| |
| diff --git a/lib/cookie.c b/lib/cookie.c |
| index d418efa..1b8c8f9 100644 |
| --- a/lib/cookie.c |
| +++ b/lib/cookie.c |
| @@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) |
| /* Make sure domain contains a dot or is localhost. */ |
| static bool bad_domain(const char *domain) |
| { |
| - return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); |
| + if(strcasecompare(domain, "localhost")) |
| + return FALSE; |
| + else { |
| + /* there must be a dot present, but that dot must not be a trailing dot */ |
| + char *dot = strchr(domain, '.'); |
| + if(dot) |
| + return dot[1] ? FALSE : TRUE; |
| + } |
| + return TRUE; |
| } |
| |
| /* |