1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 16:48:49 -05:00

cookies: skip custom cookies when redirecting cross-site

Closes #3417
This commit is contained in:
Katsuhiko YOSHIDA 2018-12-30 09:44:30 +09:00 committed by Daniel Stenberg
parent 89165c1a94
commit 1f30dc886d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 97 additions and 2 deletions

View File

@ -87,6 +87,10 @@ those servers will get all the contents of your custom headers too.
Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
from being sent to other hosts than the first used one, unless specifically
permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
Starting in 7.64.0, libcurl will specifically prevent "Cookie:" headers
from being sent to other hosts than the first used one, unless specifically
permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
.SH DEFAULT
NULL
.SH PROTOCOLS

View File

@ -1835,7 +1835,8 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
checkprefix("Transfer-Encoding:", headers->data))
/* HTTP/2 doesn't support chunked requests */
;
else if(checkprefix("Authorization:", headers->data) &&
else if((checkprefix("Authorization:", headers->data) ||
checkprefix("Cookie:", headers->data)) &&
/* be careful of sending this potentially sensitive header to
other hosts */
(data->state.this_is_a_follow &&

View File

@ -56,7 +56,7 @@ test289 test290 test291 test292 test293 test294 test295 test296 test297 \
test298 test299 test300 test301 test302 test303 test304 test305 test306 \
test307 test308 test309 test310 test311 test312 test313 test314 test315 \
test316 test317 test318 test319 test320 test321 test322 test323 test324 \
test325 test326 test327 test328 test329 \
test325 test326 test327 test328 test329 test330 \
\
test340 \
\

90
tests/data/test330 Normal file
View File

@ -0,0 +1,90 @@
<testcase>
<info>
<keywords>
HTTP
followlocation
cookies
</keywords>
</info>
#
# Server-side
<reply>
<data>
HTTP/1.1 302 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Content-Type: text/html
Funny-head: yesyes
Location: http://goto.second.host.now/3170002
Content-Length: 8
Connection: close
contents
</data>
<data2>
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Content-Type: text/html
Funny-head: yesyes
Content-Length: 9
contents
</data2>
<datacheck>
HTTP/1.1 302 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Content-Type: text/html
Funny-head: yesyes
Location: http://goto.second.host.now/3170002
Content-Length: 8
Connection: close
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Content-Type: text/html
Funny-head: yesyes
Content-Length: 9
contents
</datacheck>
</reply>
#
# Client-side
<client>
<server>
http
</server>
<name>
HTTP with custom Cookie: and redirect to new host
</name>
<command>
http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Cookie: test=yes" --location
</command>
</client>
#
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1
Host: first.host.it.is
Accept: */*
Proxy-Connection: Keep-Alive
Cookie: test=yes
GET http://goto.second.host.now/3170002 HTTP/1.1
Host: goto.second.host.now
Accept: */*
Proxy-Connection: Keep-Alive
</protocol>
</verify>
</testcase>