File curl-CVE-2023-46218.patch of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2023-46218.patch of Package curl

From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Nov 2023 08:15:47 +0100
Subject: [PATCH] cookie: lowercase the domain names before PSL checks

Reported-by: Harry Sintonen

Closes #12387
---
 lib/cookie.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

Index: curl-7.60.0/lib/cookie.c
===================================================================
--- curl-7.60.0.orig/lib/cookie.c
+++ curl-7.60.0/lib/cookie.c
@@ -465,10 +465,6 @@ Curl_cookie_add(struct Curl_easy *data,
   bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
   size_t myhash;
 
-#ifdef USE_LIBPSL
-  const psl_ctx_t *psl;
-#endif
-
 #ifdef CURL_DISABLE_VERBOSE_STRINGS
   (void)data;
 #endif
@@ -917,8 +913,23 @@ Curl_cookie_add(struct Curl_easy *data,
   /* Check if the domain is a Public Suffix and if yes, ignore the cookie.
      This needs a libpsl compiled with builtin data. */
   if(domain && co->domain && !isip(co->domain)) {
-    psl = psl_builtin();
-    if(psl && !psl_is_cookie_domain_acceptable(psl, domain, co->domain)) {
+    bool acceptable = FALSE;
+    char lcase[256];
+    char lcookie[256];
+    size_t dlen = strlen(domain);
+    size_t clen = strlen(co->domain);
+    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+      const psl_ctx_t *psl = psl_builtin();
+      if(psl) {
+        /* the PSL check requires lowercase domain name and pattern */
+        Curl_strntolower(lcase, domain, dlen + 1);
+        Curl_strntolower(lcookie, co->domain, clen + 1);
+        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+      }
+      else
+        acceptable = !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+    }
+    if(!acceptable) {
       infof(data,
             "cookie '%s' dropped, domain '%s' must not set cookies for '%s'\n",
             co->name, domain, co->domain);

Places

File curl-CVE-2023-46218.patch of Package curl

Places