cookie: reject cookie names or content with TAB characters

TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)" Cookies with TABs in the names are rejected by Firefox and Chrome. TABs in content are stripped out by Firefox, while Chrome discards the whole cookie. TABs in cookies also cause issues in saved netscape cookie files. Reported-by: Trail of Bits URL: https://curl.se/mail/lib-2022-10/0032.html URL: https://github.com/httpwg/http-extensions/issues/2262 Closes #9659
2024-12-15 06:40:09 +08:00 · 2022-10-05 09:12:39 +02:00 · 2022-10-05 09:12:39 +02:00 · bfe9b59be4
commit bfe9b59be4
parent f67f60c14b
1 changed files with 8 additions and 1 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -538,7 +538,7 @@ Curl_cookie_add(struct Curl_easy *data,
    do {
      /* we have a <what>=<this> pair or a stand-alone word here */
      name[0] = what[0] = 0; /* init the buffers */
-      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%"
+      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\t\r\n=] =%"
                     MAX_NAME_TXT "[^;\r\n]",
                     name, what)) {
        /*
@ -592,6 +592,13 @@ Curl_cookie_add(struct Curl_easy *data,
        while(*whatptr && ISBLANK(*whatptr))
          whatptr++;

+        /* Reject cookies with a TAB inside the content */
+        if(strchr(whatptr, '\t')) {
+          freecookie(co);
+          infof(data, "cookie contains TAB, dropping");
+          return NULL;
+        }
+
        /*
         * Check if we have a reserved prefix set before anything else, as we
         * otherwise have to test for the prefix in both the cookie name and