From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 16:47:06 +0200 Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine The check for a dot in the domain must not consider a single trailing dot to be fine, as then TLD + trailing dot is fine and curl will accept setting cookies for it. CVE-2022-27779 Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-27779.html Closes #8820 Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] Signed-off-by: Robert Joslyn --- lib/cookie.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/cookie.c b/lib/cookie.c index d418efa..1b8c8f9 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) /* Make sure domain contains a dot or is localhost. */ static bool bad_domain(const char *domain) { - return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); + if(strcasecompare(domain, "localhost")) + return FALSE; + else { + /* there must be a dot present, but that dot must not be a trailing dot */ + char *dot = strchr(domain, '.'); + if(dot) + return dot[1] ? FALSE : TRUE; + } + return TRUE; } /*