1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

cookies: do not assume a valid domain has a dot

This repairs cookies for localhost.

Non-PSL builds will now only accept "localhost" without dots, while PSL
builds okeys everything not listed as PSL.

Added test 1258 to verify.

This was a regression brought in a76825a5ef
This commit is contained in:
Daniel Stenberg 2017-01-27 12:59:12 +01:00
parent 074405786b
commit cbd4e1fa0d
3 changed files with 72 additions and 9 deletions

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -492,7 +492,6 @@ Curl_cookie_add(struct Curl_easy *data,
} }
else if(strcasecompare("domain", name)) { else if(strcasecompare("domain", name)) {
bool is_ip; bool is_ip;
const char *dotp;
/* Now, we make sure that our host is within the given domain, /* Now, we make sure that our host is within the given domain,
or the given domain is not valid and thus cannot be set. */ or the given domain is not valid and thus cannot be set. */
@ -500,12 +499,22 @@ Curl_cookie_add(struct Curl_easy *data,
if('.' == whatptr[0]) if('.' == whatptr[0])
whatptr++; /* ignore preceding dot */ whatptr++; /* ignore preceding dot */
is_ip = isip(domain ? domain : whatptr); #ifndef USE_LIBPSL
/*
* Without PSL we don't know when the incoming cookie is set on a
* TLD or otherwise "protected" suffix. To reduce risk, we require a
* dot OR the exact host name being "localhost".
*/
{
const char *dotp;
/* check for more dots */
dotp = strchr(whatptr, '.');
if(!dotp && !strcasecompare("localhost", whatptr))
domain=":";
}
#endif
/* check for more dots */ is_ip = isip(domain ? domain : whatptr);
dotp = strchr(whatptr, '.');
if(!dotp)
domain=":";
if(!domain if(!domain
|| (is_ip && !strcmp(whatptr, domain)) || (is_ip && !strcmp(whatptr, domain))

View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -128,7 +128,7 @@ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \ test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
test1252 test1253 test1254 test1255 test1256 test1257 \ test1252 test1253 test1254 test1255 test1256 test1257 test1258 \
\ \
test1280 test1281 test1282 \ test1280 test1281 test1282 \
\ \

54
tests/data/test1258 Normal file
View File

@ -0,0 +1,54 @@
<testcase>
<info>
<keywords>
HTTP
HTTP GET
HTTP replaced headers
cookies
httponly
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.0 200 OK swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Content-Type: text/html
Set-Cookie: I-am=here; domain=localhost;
boo
</data>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP, use cookies with localhost
</name>
<command>
http://%HOSTIP:%HTTPPORT/we/want/1258 http://%HOSTIP:%HTTPPORT/we/want?hoge=fuga -b non-existing -H "Host: localhost"
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /we/want/1258 HTTP/1.1
Host: localhost
Accept: */*
GET /we/want?hoge=fuga HTTP/1.1
Host: localhost
Accept: */*
Cookie: I-am=here
</protocol>
</verify>
</testcase>