From c495dcd02e885fc3f35164b1c3c5f72fa4b60c46 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 10 May 2021 10:50:43 +0200 Subject: [PATCH] http: consider cookies over localhost to be secure Updated test31. Added test 392 to verify secure cookies used for http://localhost Reviewed-by: Daniel Gustafsson Fixes #6733 Closes #7263 --- lib/http.c | 39 ++++++----- tests/data/Makefile.inc | 2 +- tests/data/test31 | 140 ++++++++++++++++++++-------------------- tests/data/test392 | 61 +++++++++++++++++ 4 files changed, 154 insertions(+), 88 deletions(-) create mode 100644 tests/data/test392 diff --git a/lib/http.c b/lib/http.c index 05b971b204..54362362a3 100644 --- a/lib/http.c +++ b/lib/http.c @@ -2711,14 +2711,16 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, int count = 0; if(data->cookies && data->state.cookie_engine) { + const char *host = data->state.aptr.cookiehost ? + data->state.aptr.cookiehost : conn->host.name; + const bool secure_context = + conn->handler->protocol&CURLPROTO_HTTPS || + strcasecompare("localhost", host) || + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); - co = Curl_cookie_getlist(data->cookies, - data->state.aptr.cookiehost? - data->state.aptr.cookiehost: - conn->host.name, - data->state.up.path, - (conn->handler->protocol&CURLPROTO_HTTPS)? - TRUE:FALSE); + co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, + secure_context); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } if(co) { @@ -3564,18 +3566,21 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, #if !defined(CURL_DISABLE_COOKIES) else if(data->cookies && data->state.cookie_engine && checkprefix("Set-Cookie:", headp)) { + /* If there is a custom-set Host: name, use it here, or else use real peer + host name. */ + const char *host = data->state.aptr.cookiehost? + data->state.aptr.cookiehost:conn->host.name; + const bool secure_context = + conn->handler->protocol&CURLPROTO_HTTPS || + strcasecompare("localhost", host) || + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); - Curl_cookie_add(data, - data->cookies, TRUE, FALSE, - headp + strlen("Set-Cookie:"), - /* If there is a custom-set Host: name, use it - here, or else use real peer host name. */ - data->state.aptr.cookiehost? - data->state.aptr.cookiehost:conn->host.name, - data->state.up.path, - (conn->handler->protocol&CURLPROTO_HTTPS)? - TRUE:FALSE); + Curl_cookie_add(data, data->cookies, TRUE, FALSE, + headp + strlen("Set-Cookie:"), host, + data->state.up.path, secure_context); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } #endif diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 1636969622..7e915c0c1a 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -62,7 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \ test352 test353 test354 test355 test356 test357 test358 test359 test360 \ test361 test362 test363 test364 \ \ -test393 test394 test395 test396 test397 \ +test392 test393 test394 test395 test396 test397 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ test409 test410 \ diff --git a/tests/data/test31 b/tests/data/test31 index 2ccb032549..ac277264d8 100644 --- a/tests/data/test31 +++ b/tests/data/test31 @@ -24,32 +24,32 @@ Content-Type: text/html Funny-head: yesyes %if !hyper Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure -Set-Cookie:ismatch=this ; domain=127.0.0.1; path=/silly/ -Set-Cookie: overwrite=this ; domain=127.0.0.1; path=/overwrite/ -Set-Cookie: overwrite=this2 ; domain=127.0.0.1; path=/overwrite -Set-Cookie: sec1value=secure1 ; domain=127.0.0.1; path=/secure1/ ; secure -Set-Cookie: sec2value=secure2 ; domain=127.0.0.1; path=/secure2/ ; secure= -Set-Cookie: sec3value=secure3 ; domain=127.0.0.1; path=/secure3/ ; secure= -Set-Cookie: sec4value=secure4 ; secure=; domain=127.0.0.1; path=/secure4/ ; -Set-Cookie: sec5value=secure5 ; secure; domain=127.0.0.1; path=/secure5/ ; -Set-Cookie: sec6value=secure6 ; secure ; domain=127.0.0.1; path=/secure6/ ; -Set-Cookie: sec7value=secure7 ; secure ; domain=127.0.0.1; path=/secure7/ ; -Set-Cookie: sec8value=secure8 ; secure= ; domain=127.0.0.1; path=/secure8/ ; -Set-Cookie: secure=very1 ; secure=; domain=127.0.0.1; path=/secure9/; -Set-Cookie: httpo1=value1 ; domain=127.0.0.1; path=/p1/; httponly -Set-Cookie: httpo2=value2 ; domain=127.0.0.1; path=/p2/; httponly= -Set-Cookie: httpo3=value3 ; httponly; domain=127.0.0.1; path=/p3/; -Set-Cookie: httpo4=value4 ; httponly=; domain=127.0.0.1; path=/p4/; -Set-Cookie: httponly=myvalue1 ; domain=127.0.0.1; path=/p4/; httponly -Set-Cookie: httpandsec=myvalue2 ; domain=127.0.0.1; path=/p4/; httponly; secure -Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure -Set-Cookie: httpandsec3=myvalue4 ; domain=127.0.0.1; path=/p4/; httponly; secure= -Set-Cookie: httpandsec4=myvalue5 ; domain=127.0.0.1; path=/p4/; httponly=; secure= -Set-Cookie: httpandsec5=myvalue6 ; domain=127.0.0.1; path=/p4/; secure; httponly= -Set-Cookie: httpandsec6=myvalue7 ; domain=127.0.0.1; path=/p4/; secure=; httponly= -Set-Cookie: httpandsec7=myvalue8 ; domain=127.0.0.1; path=/p4/; secure; httponly -Set-Cookie: httpandsec8=myvalue9; domain=127.0.0.1; path=/p4/; secure=; httponly -Set-Cookie: partmatch=present; domain=127.0.0.1 ; path=/; +Set-Cookie:ismatch=this ; domain=test31.curl; path=/silly/ +Set-Cookie: overwrite=this ; domain=test31.curl; path=/overwrite/ +Set-Cookie: overwrite=this2 ; domain=test31.curl; path=/overwrite +Set-Cookie: sec1value=secure1 ; domain=test31.curl; path=/secure1/ ; secure +Set-Cookie: sec2value=secure2 ; domain=test31.curl; path=/secure2/ ; secure= +Set-Cookie: sec3value=secure3 ; domain=test31.curl; path=/secure3/ ; secure= +Set-Cookie: sec4value=secure4 ; secure=; domain=test31.curl; path=/secure4/ ; +Set-Cookie: sec5value=secure5 ; secure; domain=test31.curl; path=/secure5/ ; +Set-Cookie: sec6value=secure6 ; secure ; domain=test31.curl; path=/secure6/ ; +Set-Cookie: sec7value=secure7 ; secure ; domain=test31.curl; path=/secure7/ ; +Set-Cookie: sec8value=secure8 ; secure= ; domain=test31.curl; path=/secure8/ ; +Set-Cookie: secure=very1 ; secure=; domain=test31.curl; path=/secure9/; +Set-Cookie: httpo1=value1 ; domain=test31.curl; path=/p1/; httponly +Set-Cookie: httpo2=value2 ; domain=test31.curl; path=/p2/; httponly= +Set-Cookie: httpo3=value3 ; httponly; domain=test31.curl; path=/p3/; +Set-Cookie: httpo4=value4 ; httponly=; domain=test31.curl; path=/p4/; +Set-Cookie: httponly=myvalue1 ; domain=test31.curl; path=/p4/; httponly +Set-Cookie: httpandsec=myvalue2 ; domain=test31.curl; path=/p4/; httponly; secure +Set-Cookie: httpandsec2=myvalue3; domain=test31.curl; path=/p4/; httponly=; secure +Set-Cookie: httpandsec3=myvalue4 ; domain=test31.curl; path=/p4/; httponly; secure= +Set-Cookie: httpandsec4=myvalue5 ; domain=test31.curl; path=/p4/; httponly=; secure= +Set-Cookie: httpandsec5=myvalue6 ; domain=test31.curl; path=/p4/; secure; httponly= +Set-Cookie: httpandsec6=myvalue7 ; domain=test31.curl; path=/p4/; secure=; httponly= +Set-Cookie: httpandsec7=myvalue8 ; domain=test31.curl; path=/p4/; secure; httponly +Set-Cookie: httpandsec8=myvalue9; domain=test31.curl; path=/p4/; secure=; httponly +Set-Cookie: partmatch=present; domain=test31.curl ; path=/; Set-Cookie:eat=this; domain=moo.foo.moo; Set-Cookie: eat=this-too; domain=.foo.moo; Set-Cookie: nodomainnovalue @@ -58,7 +58,7 @@ Set-Cookie: novalue; domain=reallysilly Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: magic=yessir; path=/silly/; HttpOnly -Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad; +Set-Cookie: blexp=yesyes; domain=test31.curl; domain=test31.curl; expiry=totally bad; Set-Cookie: partialip=nono; domain=.0.0.1; Set-Cookie: withspaces= yes within and around ; Set-Cookie: withspaces2 =before equals; @@ -66,32 +66,32 @@ Set-Cookie: prespace= yes before; Set-Cookie: securewithspace=after ; secure = %else Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure -Set-Cookie: ismatch=this ; domain=127.0.0.1; path=/silly/ -Set-Cookie: overwrite=this ; domain=127.0.0.1; path=/overwrite/ -Set-Cookie: overwrite=this2 ; domain=127.0.0.1; path=/overwrite -Set-Cookie: sec1value=secure1 ; domain=127.0.0.1; path=/secure1/ ; secure -Set-Cookie: sec2value=secure2 ; domain=127.0.0.1; path=/secure2/ ; secure= -Set-Cookie: sec3value=secure3 ; domain=127.0.0.1; path=/secure3/ ; secure= -Set-Cookie: sec4value=secure4 ; secure=; domain=127.0.0.1; path=/secure4/ ; -Set-Cookie: sec5value=secure5 ; secure; domain=127.0.0.1; path=/secure5/ ; -Set-Cookie: sec6value=secure6 ; secure ; domain=127.0.0.1; path=/secure6/ ; -Set-Cookie: sec7value=secure7 ; secure ; domain=127.0.0.1; path=/secure7/ ; -Set-Cookie: sec8value=secure8 ; secure= ; domain=127.0.0.1; path=/secure8/ ; -Set-Cookie: secure=very1 ; secure=; domain=127.0.0.1; path=/secure9/; -Set-Cookie: httpo1=value1 ; domain=127.0.0.1; path=/p1/; httponly -Set-Cookie: httpo2=value2 ; domain=127.0.0.1; path=/p2/; httponly= -Set-Cookie: httpo3=value3 ; httponly; domain=127.0.0.1; path=/p3/; -Set-Cookie: httpo4=value4 ; httponly=; domain=127.0.0.1; path=/p4/; -Set-Cookie: httponly=myvalue1 ; domain=127.0.0.1; path=/p4/; httponly -Set-Cookie: httpandsec=myvalue2 ; domain=127.0.0.1; path=/p4/; httponly; secure -Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure -Set-Cookie: httpandsec3=myvalue4 ; domain=127.0.0.1; path=/p4/; httponly; secure= -Set-Cookie: httpandsec4=myvalue5 ; domain=127.0.0.1; path=/p4/; httponly=; secure= -Set-Cookie: httpandsec5=myvalue6 ; domain=127.0.0.1; path=/p4/; secure; httponly= -Set-Cookie: httpandsec6=myvalue7 ; domain=127.0.0.1; path=/p4/; secure=; httponly= -Set-Cookie: httpandsec7=myvalue8 ; domain=127.0.0.1; path=/p4/; secure; httponly -Set-Cookie: httpandsec8=myvalue9; domain=127.0.0.1; path=/p4/; secure=; httponly -Set-Cookie: partmatch=present; domain=127.0.0.1 ; path=/; +Set-Cookie: ismatch=this ; domain=test31.curl; path=/silly/ +Set-Cookie: overwrite=this ; domain=test31.curl; path=/overwrite/ +Set-Cookie: overwrite=this2 ; domain=test31.curl; path=/overwrite +Set-Cookie: sec1value=secure1 ; domain=test31.curl; path=/secure1/ ; secure +Set-Cookie: sec2value=secure2 ; domain=test31.curl; path=/secure2/ ; secure= +Set-Cookie: sec3value=secure3 ; domain=test31.curl; path=/secure3/ ; secure= +Set-Cookie: sec4value=secure4 ; secure=; domain=test31.curl; path=/secure4/ ; +Set-Cookie: sec5value=secure5 ; secure; domain=test31.curl; path=/secure5/ ; +Set-Cookie: sec6value=secure6 ; secure ; domain=test31.curl; path=/secure6/ ; +Set-Cookie: sec7value=secure7 ; secure ; domain=test31.curl; path=/secure7/ ; +Set-Cookie: sec8value=secure8 ; secure= ; domain=test31.curl; path=/secure8/ ; +Set-Cookie: secure=very1 ; secure=; domain=test31.curl; path=/secure9/; +Set-Cookie: httpo1=value1 ; domain=test31.curl; path=/p1/; httponly +Set-Cookie: httpo2=value2 ; domain=test31.curl; path=/p2/; httponly= +Set-Cookie: httpo3=value3 ; httponly; domain=test31.curl; path=/p3/; +Set-Cookie: httpo4=value4 ; httponly=; domain=test31.curl; path=/p4/; +Set-Cookie: httponly=myvalue1 ; domain=test31.curl; path=/p4/; httponly +Set-Cookie: httpandsec=myvalue2 ; domain=test31.curl; path=/p4/; httponly; secure +Set-Cookie: httpandsec2=myvalue3; domain=test31.curl; path=/p4/; httponly=; secure +Set-Cookie: httpandsec3=myvalue4 ; domain=test31.curl; path=/p4/; httponly; secure= +Set-Cookie: httpandsec4=myvalue5 ; domain=test31.curl; path=/p4/; httponly=; secure= +Set-Cookie: httpandsec5=myvalue6 ; domain=test31.curl; path=/p4/; secure; httponly= +Set-Cookie: httpandsec6=myvalue7 ; domain=test31.curl; path=/p4/; secure=; httponly= +Set-Cookie: httpandsec7=myvalue8 ; domain=test31.curl; path=/p4/; secure; httponly +Set-Cookie: httpandsec8=myvalue9; domain=test31.curl; path=/p4/; secure=; httponly +Set-Cookie: partmatch=present; domain=test31.curl ; path=/; Set-Cookie: eat=this; domain=moo.foo.moo; Set-Cookie: eat=this-too; domain=.foo.moo; Set-Cookie: nodomainnovalue @@ -100,7 +100,7 @@ Set-Cookie: novalue; domain=reallysilly Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: magic=yessir; path=/silly/; HttpOnly -Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad; +Set-Cookie: blexp=yesyes; domain=test31.curl; domain=test31.curl; expiry=totally bad; Set-Cookie: partialip=nono; domain=.0.0.1; Set-Cookie: withspaces= yes within and around ; Set-Cookie: withspaces2 =before equals; @@ -127,7 +127,7 @@ HTTP with weirdly formatted cookies and cookiejar storage TZ=GMT -http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -b none -c log/jar%TESTNUMBER.txt +http://test31.curl:%HTTPPORT/we/want/%TESTNUMBER -b none -c log/jar%TESTNUMBER.txt --resolve test31.curl:%HTTPPORT:127.0.0.1 perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" @@ -138,7 +138,7 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0 GET /we/want/%TESTNUMBER HTTP/1.1 -Host: %HOSTIP:%HTTPPORT +Host: test31.curl:%HTTPPORT User-Agent: curl/%VERSION Accept: */* @@ -148,20 +148,20 @@ Accept: */* # https://curl.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. -127.0.0.1 FALSE /we/want/ FALSE 0 prespace yes before -127.0.0.1 FALSE /we/want/ FALSE 0 withspaces2 before equals -127.0.0.1 FALSE /we/want/ FALSE 0 withspaces yes within and around -127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes -#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir -127.0.0.1 FALSE /we/want/ FALSE 2118138987 nodomain value -127.0.0.1 FALSE / FALSE 0 partmatch present -#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1 -#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4 -#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3 -#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2 -#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1 -127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2 -127.0.0.1 FALSE /silly/ FALSE 0 ismatch this +test31.curl FALSE /we/want/ FALSE 0 prespace yes before +test31.curl FALSE /we/want/ FALSE 0 withspaces2 before equals +test31.curl FALSE /we/want/ FALSE 0 withspaces yes within and around +.test31.curl TRUE /we/want/ FALSE 0 blexp yesyes +#HttpOnly_test31.curl FALSE /silly/ FALSE 0 magic yessir +test31.curl FALSE /we/want/ FALSE 2118138987 nodomain value +.test31.curl TRUE / FALSE 0 partmatch present +#HttpOnly_.test31.curl TRUE /p4/ FALSE 0 httponly myvalue1 +#HttpOnly_.test31.curl TRUE /p4/ FALSE 0 httpo4 value4 +#HttpOnly_.test31.curl TRUE /p3/ FALSE 0 httpo3 value3 +#HttpOnly_.test31.curl TRUE /p2/ FALSE 0 httpo2 value2 +#HttpOnly_.test31.curl TRUE /p1/ FALSE 0 httpo1 value1 +.test31.curl TRUE /overwrite FALSE 0 overwrite this2 +.test31.curl TRUE /silly/ FALSE 0 ismatch this diff --git a/tests/data/test392 b/tests/data/test392 new file mode 100644 index 0000000000..24430c1311 --- /dev/null +++ b/tests/data/test392 @@ -0,0 +1,61 @@ + + + +HTTP +HTTP GET +cookies +secure + + + + + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 4 +Content-Type: text/html +Funny-head: yesyes +Set-Cookie: foobar=name; path=/; secure + +boo + + + +# Client-side + + +http + + +HTTP secure cookies over localhost + + + +TZ=GMT + + +http://localhost:%HTTPPORT/%TESTNUMBER -b none http://localhost:%HTTPPORT/%TESTNUMBER + + +perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" + + + +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER HTTP/1.1 +Host: localhost:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + +GET /%TESTNUMBER HTTP/1.1 +Host: localhost:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* +Cookie: foobar=name + + + +