mirror of
https://github.com/curl/curl.git
synced 2024-11-21 01:16:58 +08:00
8a75dbeb23
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html
68 lines
1.4 KiB
Plaintext
68 lines
1.4 KiB
Plaintext
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
HTTP GET
|
|
cookies
|
|
</keywords>
|
|
</info>
|
|
# Server-side
|
|
<reply>
|
|
<data>
|
|
HTTP/1.1 200 OK swsclose
|
|
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
Server: test-server/fake
|
|
|
|
</data>
|
|
</reply>
|
|
|
|
# Client-side
|
|
<client>
|
|
<server>
|
|
http
|
|
</server>
|
|
<name>
|
|
HTTP with cookie parsing from header file
|
|
</name>
|
|
<command>
|
|
http://%HOSTIP:%HTTPPORT/we/want/8 -b log/heads8.txt
|
|
</command>
|
|
|
|
# We create this file before the command is invoked!
|
|
<file name="log/heads8.txt">
|
|
HTTP/1.1 200 OK
|
|
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
Server: test-server/fake
|
|
Content-Type: text/html
|
|
Funny-head: yesyes
|
|
Set-Cookie: foobar=name; domain=%HOSTIP; path=/;
|
|
Set-Cookie: mismatch=this; domain=%HOSTIP; path="/silly/";
|
|
Set-Cookie: partmatch=present; domain=.0.0.1; path=/w;
|
|
Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
|
|
Set-Cookie: cookie=yes; path=/we;
|
|
Set-Cookie: cookie=perhaps; path=/we/want;
|
|
Set-Cookie: nocookie=yes; path=/WE;
|
|
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
|
|
Set-Cookie: partialip=nono; domain=.0.0.1;
|
|
|
|
</file>
|
|
<precheck>
|
|
perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs ending with .0.0.1"; exit(1)}'
|
|
</precheck>
|
|
</client>
|
|
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<strip>
|
|
^User-Agent:.*
|
|
</strip>
|
|
<protocol>
|
|
GET /we/want/8 HTTP/1.1
|
|
Host: %HOSTIP:%HTTPPORT
|
|
Accept: */*
|
|
Cookie: cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
|
|
|
|
</protocol>
|
|
</verify>
|
|
</testcase>
|