mirror of
https://github.com/moparisthebest/curl
synced 2024-11-17 15:05:02 -05:00
8a75dbeb23
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html
130 lines
5.2 KiB
Plaintext
130 lines
5.2 KiB
Plaintext
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
HTTP GET
|
|
cookies
|
|
cookiejar
|
|
</keywords>
|
|
</info>
|
|
# Server-side
|
|
<reply>
|
|
<data>
|
|
HTTP/1.1 200 OK
|
|
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
Server: test-server/fake
|
|
Content-Length: 4
|
|
Content-Type: text/html
|
|
Funny-head: yesyes
|
|
Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure
|
|
Set-Cookie:ismatch=this ; domain=127.0.0.1; path=/silly/
|
|
Set-Cookie: overwrite=this ; domain=127.0.0.1; path=/overwrite/
|
|
Set-Cookie: overwrite=this2 ; domain=127.0.0.1; path=/overwrite
|
|
Set-Cookie: sec1value=secure1 ; domain=127.0.0.1; path=/secure1/ ; secure
|
|
Set-Cookie: sec2value=secure2 ; domain=127.0.0.1; path=/secure2/ ; secure=
|
|
Set-Cookie: sec3value=secure3 ; domain=127.0.0.1; path=/secure3/ ; secure=
|
|
Set-Cookie: sec4value=secure4 ; secure=; domain=127.0.0.1; path=/secure4/ ;
|
|
Set-Cookie: sec5value=secure5 ; secure; domain=127.0.0.1; path=/secure5/ ;
|
|
Set-Cookie: sec6value=secure6 ; secure ; domain=127.0.0.1; path=/secure6/ ;
|
|
Set-Cookie: sec7value=secure7 ; secure ; domain=127.0.0.1; path=/secure7/ ;
|
|
Set-Cookie: sec8value=secure8 ; secure= ; domain=127.0.0.1; path=/secure8/ ;
|
|
Set-Cookie: secure=very1 ; secure=; domain=127.0.0.1; path=/secure9/;
|
|
Set-Cookie: httpo1=value1 ; domain=127.0.0.1; path=/p1/; httponly
|
|
Set-Cookie: httpo2=value2 ; domain=127.0.0.1; path=/p2/; httponly=
|
|
Set-Cookie: httpo3=value3 ; httponly; domain=127.0.0.1; path=/p3/;
|
|
Set-Cookie: httpo4=value4 ; httponly=; domain=127.0.0.1; path=/p4/;
|
|
Set-Cookie: httponly=myvalue1 ; domain=127.0.0.1; path=/p4/; httponly
|
|
Set-Cookie: httpandsec=myvalue2 ; domain=127.0.0.1; path=/p4/; httponly; secure
|
|
Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure
|
|
Set-Cookie: httpandsec3=myvalue4 ; domain=127.0.0.1; path=/p4/; httponly; secure=
|
|
Set-Cookie: httpandsec4=myvalue5 ; domain=127.0.0.1; path=/p4/; httponly=; secure=
|
|
Set-Cookie: httpandsec5=myvalue6 ; domain=127.0.0.1; path=/p4/; secure; httponly=
|
|
Set-Cookie: httpandsec6=myvalue7 ; domain=127.0.0.1; path=/p4/; secure=; httponly=
|
|
Set-Cookie: httpandsec7=myvalue8 ; domain=127.0.0.1; path=/p4/; secure; httponly
|
|
Set-Cookie: httpandsec8=myvalue9; domain=127.0.0.1; path=/p4/; secure=; httponly
|
|
Set-Cookie: partmatch=present; domain=127.0.0.1 ; path=/;
|
|
Set-Cookie:eat=this; domain=moo.foo.moo;
|
|
Set-Cookie: eat=this-too; domain=.foo.moo;
|
|
Set-Cookie: nodomainnovalue
|
|
Set-Cookie: nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035
|
|
Set-Cookie: novalue; domain=reallysilly
|
|
Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
|
|
Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
|
|
Set-Cookie: magic=yessir; path=/silly/; HttpOnly
|
|
Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad;
|
|
Set-Cookie: partialip=nono; domain=.0.0.1;
|
|
|
|
boo
|
|
</data>
|
|
</reply>
|
|
|
|
# Client-side
|
|
<client>
|
|
<server>
|
|
http
|
|
</server>
|
|
<name>
|
|
HTTP with weirdly formatted cookies and cookiejar storage
|
|
</name>
|
|
# Explicitly set the time zone to a known good one, in case the user is
|
|
# using one of the 'right' zones that take into account leap seconds
|
|
# which causes the cookie expiry times to be different.
|
|
<setenv>
|
|
TZ=GMT
|
|
</setenv>
|
|
<command>
|
|
http://%HOSTIP:%HTTPPORT/we/want/31 -b none -c log/jar31.txt
|
|
</command>
|
|
<precheck>
|
|
perl -e 'if ("%HOSTIP" !~ /127\.0\.0\.1$/) {print "Test only works for HOSTIP 127.0.0.1"; exit(1)}'
|
|
</precheck>
|
|
</client>
|
|
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<strip>
|
|
^User-Agent:.*
|
|
</strip>
|
|
<protocol>
|
|
GET /we/want/31 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
Accept: */*
|
|
|
|
</protocol>
|
|
<file name="log/jar31.txt" mode="text">
|
|
# Netscape HTTP Cookie File
|
|
# http://curl.haxx.se/docs/http-cookies.html
|
|
# This file was generated by libcurl! Edit at your own risk.
|
|
|
|
127.0.0.1 FALSE /silly/ FALSE 0 ismatch this
|
|
127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2
|
|
127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1
|
|
127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2
|
|
127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3
|
|
127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4
|
|
127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5
|
|
127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6
|
|
127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7
|
|
127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8
|
|
127.0.0.1 FALSE /secure9/ TRUE 0 secure very1
|
|
#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1
|
|
#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2
|
|
#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8
|
|
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9
|
|
127.0.0.1 FALSE / FALSE 0 partmatch present
|
|
127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
|
|
#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
|
|
127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes
|
|
</file>
|
|
</verify>
|
|
</testcase>
|