cookies: make bad_domain() not consider a trailing dot fine

The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.

CVE-2022-27779

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.html
Closes #8820
This commit is contained in:
Daniel Stenberg 2022-05-09 16:47:06 +02:00
parent f8cb6c610a
commit 7e92d12b4e
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
/* Make sure domain contains a dot or is localhost. */
static bool bad_domain(const char *domain)
{
return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
if(strcasecompare(domain, "localhost"))
return FALSE;
else {
/* there must be a dot present, but that dot must not be a trailing dot */
char *dot = strchr(domain, '.');
if(dot)
return dot[1] ? FALSE : TRUE;
}
return TRUE;
}
/*