diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2022-06-26 11:00:48 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2022-06-26 11:00:48 +0200 |
| commit | 48d7064a49148f03942380967da739dcde1cdc24 (patch) | |
| tree | 406195db4bc0eb3dc048a29325248a099b98c770 /lib/http.c | |
| parent | 7230b19a2e17a164f61f82e4e409a9777ea2421a (diff) | |
| download | curl-48d7064a49148f03942380967da739dcde1cdc24.tar.gz | |
cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205
Reported-by: Harry Sintonen
Closes #9048
Diffstat (limited to 'lib/http.c')
| -rw-r--r-- | lib/http.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/lib/http.c b/lib/http.c index 5284475ba..258722a60 100644 --- a/lib/http.c +++ b/lib/http.c @@ -2711,12 +2711,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, } #if !defined(CURL_DISABLE_COOKIES) + CURLcode Curl_http_cookies(struct Curl_easy *data, struct connectdata *conn, struct dynbuf *r) { CURLcode result = CURLE_OK; char *addcookies = NULL; + bool linecap = FALSE; if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, STRCONST("Cookie"))) addcookies = data->set.str[STRING_COOKIE]; @@ -2734,7 +2736,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, !strcmp(host, "127.0.0.1") || !strcmp(host, "[::1]") ? TRUE : FALSE; Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); - co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, + co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, secure_context); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } @@ -2748,6 +2750,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, if(result) break; } + if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= + MAX_COOKIE_HEADER_LEN) { + infof(data, "Restricted outgoing cookies due to header size, " + "'%s' not sent", co->name); + linecap = TRUE; + break; + } result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", co->name, co->value); if(result) @@ -2758,7 +2767,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, } Curl_cookie_freelist(store); } - if(addcookies && !result) { + if(addcookies && !result && !linecap) { if(!count) result = Curl_dyn_addn(r, STRCONST("Cookie: ")); if(!result) { |