diff options
author | Daniel Gustafsson <daniel@yesql.se> | 2018-12-19 20:59:09 +0100 |
---|---|---|
committer | Daniel Gustafsson <daniel@yesql.se> | 2018-12-19 20:59:09 +0100 |
commit | 3773de378d48b06c09931e44dca4d274d0bfdce0 (patch) | |
tree | efe71a59c1f0012494e1fd5f92c5011eee56d637 | |
parent | 462037ad487c0457451e66afd0cb50a9f70c0c28 (diff) | |
download | curl-3773de378d48b06c09931e44dca4d274d0bfdce0.tar.gz |
cookies: extend domain checks to non psl builds
Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.
Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
-rw-r--r-- | lib/cookie.c | 13 | ||||
-rw-r--r-- | tests/data/test8 | 1 |
2 files changed, 9 insertions, 5 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index bc0ab0dfe..f52c30840 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -803,6 +803,8 @@ Curl_cookie_add(struct Curl_easy *data, co->domain = strdup(ptr); if(!co->domain) badcookie = TRUE; + else if(bad_domain(co->domain)) + badcookie = TRUE; break; case 1: /* This field got its explanation on the 23rd of May 2001 by @@ -906,18 +908,20 @@ Curl_cookie_add(struct Curl_easy *data, if(!noexpire) remove_expired(c); -#ifdef USE_LIBPSL - /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */ if(domain && co->domain && !isip(co->domain)) { - const psl_ctx_t *psl = Curl_psl_use(data); int acceptable; +#ifdef USE_LIBPSL + const psl_ctx_t *psl = Curl_psl_use(data); + /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */ if(psl) { acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); Curl_psl_release(data); } else - acceptable = !bad_domain(domain); +#endif + /* Without libpsl, do the best we can. */ + acceptable = !bad_domain(co->domain); if(!acceptable) { infof(data, "cookie '%s' dropped, domain '%s' must not " @@ -926,7 +930,6 @@ Curl_cookie_add(struct Curl_easy *data, return NULL; } } -#endif myhash = cookiehash(co->domain); clist = c->cookies[myhash]; diff --git a/tests/data/test8 b/tests/data/test8 index 2fc190060..e6d0f500e 100644 --- a/tests/data/test8 +++ b/tests/data/test8 @@ -46,6 +46,7 @@ Set-Cookie: trailingspace = removed; path=/we/want; Set-Cookie: nocookie=yes; path=/WE; Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; Set-Cookie: partialip=nono; domain=.0.0.1; +Set-Cookie: chocolate=chip; domain=curl; path=/we/want; </file> <precheck> |