mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-18 14:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

test414: verify secure cookie domain overlay

Browse Source
This commit is contained in:
Daniel Stenberg 2022-05-19 14:48:26 +02:00
parent e9a8451a3b
commit 9ec22e4fe6
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/data/Makefile.inc
View File

@ -67,7 +67,7 @@ test380 test381 test383 test384 test385 test386 \
test392 test393 test394 test395 test396 test397 test398 \
\
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
test409 test410 test411 test412 test413 \
test409 test410 test411 test412 test413 test414 \
\
test430 test431 test432 test433 test434 test435 test436 \
\

83
tests/data/test414 Normal file
View File

@ -0,0 +1,83 @@
<testcase>
<info>
<keywords>
HTTP
cookies
</keywords>
</info>
#
# Server-side
<reply>
<data nocheck="yes">
HTTP/1.1 301 OK
Date: Tue, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 6
Set-Cookie: SESSIONID=originaltoken; secure
Set-Cookie: second=originaltoken; secure; path=/a
Location: http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER0002
-foo-
</data>
<data2>
HTTP/1.1 301 OK
Date: Tue, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 6
Set-Cookie: SESSIONID=hacker; domain=attack.invalid;
Set-Cookie: second=replacement; path=/a/b
Location: https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER0003
-foo-
</data2>
<data3>
HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 6
-foo-
</data3>
</reply>
#
# Client-side
<client>
<server>
http
https
</server>
<name>
HTTPS sec-cookie, HTTP redirect, same name cookie, redirect back
</name>
<command>
https://attack.invalid:%HTTPSPORT/a/b/%TESTNUMBER -k -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPSPORT:%HOSTIP --resolve attack.invalid:%HTTPPORT:%HOSTIP -L
</command>
</client>
#
# Verify data after the test has been "shot"
<verify>
<protocol>
GET /a/b/%TESTNUMBER HTTP/1.1
Host: attack.invalid:%HTTPSPORT
User-Agent: curl/%VERSION
Accept: */*
GET /a/b/%TESTNUMBER0002 HTTP/1.1
Host: attack.invalid:%HTTPPORT
User-Agent: curl/%VERSION
Accept: */*
GET /a/b/%TESTNUMBER0003 HTTP/1.1
Host: attack.invalid:%HTTPSPORT
User-Agent: curl/%VERSION
Accept: */*
Cookie: SESSIONID=originaltoken; second=originaltoken
</protocol>
</verify>
</testcase>