From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 27 Dec 2022 11:50:23 +0100 Subject: [PATCH] hsts: handle adding the same host name again It will then use the largest expire time of the two entries. CVE: CVE-2023-23914 CVE-2023-23915 Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/e077b30a42272d964d76e5b815a0af7dc65d8360] Signed-off-by: Pawan Badganchi Signed-off-by: Mingli Yu --- lib/hsts.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/hsts.c b/lib/hsts.c index 339237be1c621..8d6723ee587d2 100644 --- a/lib/hsts.c +++ b/lib/hsts.c @@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) if(2 == rc) { time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : TIME_T_MAX; - CURLcode result; + CURLcode result = CURLE_OK; char *p = host; bool subdomain = FALSE; + struct stsentry *e; if(p[0] == '.') { p++; subdomain = TRUE; } - result = hsts_create(h, p, subdomain, expires); + /* only add it if not already present */ + e = Curl_hsts(h, p, subdomain); + if(!e) + result = hsts_create(h, p, subdomain, expires); + else { + /* the same host name, use the largest expire time */ + if(expires > e->expires) + e->expires = expires; + } if(result) return result; }