cookies: do not assume a valid domain has a dot

This repairs cookies for localhost. Non-PSL builds will now only accept "localhost" without dots, while PSL builds okeys everything not listed as PSL. Added test 1258 to verify. This was a regression brought in a76825a5ef
2024-12-21 15:48:49 -05:00 · 2017-01-27 12:59:12 +01:00 · 2017-01-27 12:59:12 +01:00 · cbd4e1fa0d
commit cbd4e1fa0d
parent 074405786b
3 changed files with 72 additions and 9 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -492,7 +492,6 @@ Curl_cookie_add(struct Curl_easy *data,
        }
        else if(strcasecompare("domain", name)) {
          bool is_ip;
-          const char *dotp;

          /* Now, we make sure that our host is within the given domain,
             or the given domain is not valid and thus cannot be set. */
@ -500,12 +499,22 @@ Curl_cookie_add(struct Curl_easy *data,
          if('.' == whatptr[0])
            whatptr++; /* ignore preceding dot */

-          is_ip = isip(domain ? domain : whatptr);
+#ifndef USE_LIBPSL
+          /*
+           * Without PSL we don't know when the incoming cookie is set on a
+           * TLD or otherwise "protected" suffix. To reduce risk, we require a
+           * dot OR the exact host name being "localhost".
+           */
+          {
+            const char *dotp;
+            /* check for more dots */
+            dotp = strchr(whatptr, '.');
+            if(!dotp && !strcasecompare("localhost", whatptr))
+              domain=":";
+          }
+#endif

-          /* check for more dots */
-          dotp = strchr(whatptr, '.');
-          if(!dotp)
-            domain=":";
+          is_ip = isip(domain ? domain : whatptr);

          if(!domain
             || (is_ip && !strcmp(whatptr, domain))
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@ -128,7 +128,7 @@ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
 test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
 test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
 test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
-test1252 test1253 test1254 test1255 test1256 test1257 \
+test1252 test1253 test1254 test1255 test1256 test1257 test1258 \
 \
 test1280 test1281 test1282 \
 \
--- a/tests/data/test1258
+++ b/tests/data/test1258
@ -0,0 +1,54 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP replaced headers
+cookies
+httponly
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+HTTP/1.0 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Content-Type: text/html
+Set-Cookie: I-am=here; domain=localhost;
+
+boo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP, use cookies with localhost
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/we/want/1258 http://%HOSTIP:%HTTPPORT/we/want?hoge=fuga -b non-existing -H "Host: localhost"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /we/want/1258 HTTP/1.1
+Host: localhost
+Accept: */*
+
+GET /we/want?hoge=fuga HTTP/1.1
+Host: localhost
+Accept: */*
+Cookie: I-am=here
+
+</protocol>
+</verify>
+</testcase>