curl/tests/data/test8
Tim Ruehsen 8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00

68 lines
1.4 KiB
Plaintext

<testcase>
<info>
<keywords>
HTTP
HTTP GET
cookies
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 200 OK swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
</data>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP with cookie parsing from header file
</name>
<command>
http://%HOSTIP:%HTTPPORT/we/want/8 -b log/heads8.txt
</command>
# We create this file before the command is invoked!
<file name="log/heads8.txt">
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Type: text/html
Funny-head: yesyes
Set-Cookie: foobar=name; domain=%HOSTIP; path=/;
Set-Cookie: mismatch=this; domain=%HOSTIP; path="/silly/";
Set-Cookie: partmatch=present; domain=.0.0.1; path=/w;
Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
Set-Cookie: cookie=yes; path=/we;
Set-Cookie: cookie=perhaps; path=/we/want;
Set-Cookie: nocookie=yes; path=/WE;
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
Set-Cookie: partialip=nono; domain=.0.0.1;
</file>
<precheck>
perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs ending with .0.0.1"; exit(1)}'
</precheck>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /we/want/8 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
Cookie: cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
</protocol>
</verify>
</testcase>