Backport of: From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 23 Nov 2023 08:15:47 +0100 Subject: [PATCH] cookie: lowercase the domain names before PSL checks Reported-by: Harry Sintonen Closes #12387 CVE: CVE-2023-46218 Upstream-Status: Backport [https://github.com/curl/curl/commit/2b0994c29a721c91c57] Signed-off-by: Poonam Jadhav --- lib/cookie.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) --- a/lib/cookie.c +++ b/lib/cookie.c @@ -1044,15 +1044,23 @@ Curl_cookie_add(struct Curl_easy *data, * dereference it. */ if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { - const psl_ctx_t *psl = Curl_psl_use(data); - int acceptable; - - if(psl) { - acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); - Curl_psl_release(data); + bool acceptable = FALSE; + char lcase[256]; + char lcookie[256]; + size_t dlen = strlen(domain); + size_t clen = strlen(co->domain); + if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { + const psl_ctx_t *psl = Curl_psl_use(data); + if(psl) { + /* the PSL check requires lowercase domain name and pattern */ + Curl_strntolower(lcase, domain, dlen + 1); + Curl_strntolower(lcookie, co->domain, clen + 1); + acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); + Curl_psl_release(data); + } + else + acceptable = !bad_domain(domain); } - else - acceptable = !bad_domain(domain); if(!acceptable) { infof(data, "cookie '%s' dropped, domain '%s' must not "