diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2017-01-27 12:59:12 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2017-01-27 13:32:02 +0100 |
| commit | cbd4e1fa0dc77cd65ec09985e979a4be11b60096 (patch) | |
| tree | bb6ebacdb8a494bf216db8209a3fdbc23088141c /lib/cookie.c | |
| parent | 074405786b366b5c41ab693d1fa129e7a64171ee (diff) | |
| download | curl-cbd4e1fa0dc77cd65ec09985e979a4be11b60096.tar.gz | |
cookies: do not assume a valid domain has a dot
This repairs cookies for localhost.
Non-PSL builds will now only accept "localhost" without dots, while PSL
builds okeys everything not listed as PSL.
Added test 1258 to verify.
This was a regression brought in a76825a5efa6b4
Diffstat (limited to 'lib/cookie.c')
| -rw-r--r-- | lib/cookie.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 092a226f3..8a4b844fc 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -492,7 +492,6 @@ Curl_cookie_add(struct Curl_easy *data, } else if(strcasecompare("domain", name)) { bool is_ip; - const char *dotp; /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ @@ -500,12 +499,22 @@ Curl_cookie_add(struct Curl_easy *data, if('.' == whatptr[0]) whatptr++; /* ignore preceding dot */ - is_ip = isip(domain ? domain : whatptr); +#ifndef USE_LIBPSL + /* + * Without PSL we don't know when the incoming cookie is set on a + * TLD or otherwise "protected" suffix. To reduce risk, we require a + * dot OR the exact host name being "localhost". + */ + { + const char *dotp; + /* check for more dots */ + dotp = strchr(whatptr, '.'); + if(!dotp && !strcasecompare("localhost", whatptr)) + domain=":"; + } +#endif - /* check for more dots */ - dotp = strchr(whatptr, '.'); - if(!dotp) - domain=":"; + is_ip = isip(domain ? domain : whatptr); if(!domain || (is_ip && !strcmp(whatptr, domain)) |