curl/tests/data/test31
Tim Ruehsen 8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00

130 lines
5.2 KiB
Plaintext

<testcase>
<info>
<keywords>
HTTP
HTTP GET
cookies
cookiejar
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 4
Content-Type: text/html
Funny-head: yesyes
Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure
Set-Cookie:ismatch=this ; domain=127.0.0.1; path=/silly/
Set-Cookie: overwrite=this ; domain=127.0.0.1; path=/overwrite/
Set-Cookie: overwrite=this2 ; domain=127.0.0.1; path=/overwrite
Set-Cookie: sec1value=secure1 ; domain=127.0.0.1; path=/secure1/ ; secure
Set-Cookie: sec2value=secure2 ; domain=127.0.0.1; path=/secure2/ ; secure=
Set-Cookie: sec3value=secure3 ; domain=127.0.0.1; path=/secure3/ ; secure=
Set-Cookie: sec4value=secure4 ; secure=; domain=127.0.0.1; path=/secure4/ ;
Set-Cookie: sec5value=secure5 ; secure; domain=127.0.0.1; path=/secure5/ ;
Set-Cookie: sec6value=secure6 ; secure ; domain=127.0.0.1; path=/secure6/ ;
Set-Cookie: sec7value=secure7 ; secure ; domain=127.0.0.1; path=/secure7/ ;
Set-Cookie: sec8value=secure8 ; secure= ; domain=127.0.0.1; path=/secure8/ ;
Set-Cookie: secure=very1 ; secure=; domain=127.0.0.1; path=/secure9/;
Set-Cookie: httpo1=value1 ; domain=127.0.0.1; path=/p1/; httponly
Set-Cookie: httpo2=value2 ; domain=127.0.0.1; path=/p2/; httponly=
Set-Cookie: httpo3=value3 ; httponly; domain=127.0.0.1; path=/p3/;
Set-Cookie: httpo4=value4 ; httponly=; domain=127.0.0.1; path=/p4/;
Set-Cookie: httponly=myvalue1 ; domain=127.0.0.1; path=/p4/; httponly
Set-Cookie: httpandsec=myvalue2 ; domain=127.0.0.1; path=/p4/; httponly; secure
Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure
Set-Cookie: httpandsec3=myvalue4 ; domain=127.0.0.1; path=/p4/; httponly; secure=
Set-Cookie: httpandsec4=myvalue5 ; domain=127.0.0.1; path=/p4/; httponly=; secure=
Set-Cookie: httpandsec5=myvalue6 ; domain=127.0.0.1; path=/p4/; secure; httponly=
Set-Cookie: httpandsec6=myvalue7 ; domain=127.0.0.1; path=/p4/; secure=; httponly=
Set-Cookie: httpandsec7=myvalue8 ; domain=127.0.0.1; path=/p4/; secure; httponly
Set-Cookie: httpandsec8=myvalue9; domain=127.0.0.1; path=/p4/; secure=; httponly
Set-Cookie: partmatch=present; domain=127.0.0.1 ; path=/;
Set-Cookie:eat=this; domain=moo.foo.moo;
Set-Cookie: eat=this-too; domain=.foo.moo;
Set-Cookie: nodomainnovalue
Set-Cookie: nodomain=value; expires=Fri Feb 2 11:56:27 GMT 2035
Set-Cookie: novalue; domain=reallysilly
Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
Set-Cookie: magic=yessir; path=/silly/; HttpOnly
Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad;
Set-Cookie: partialip=nono; domain=.0.0.1;
boo
</data>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP with weirdly formatted cookies and cookiejar storage
</name>
# Explicitly set the time zone to a known good one, in case the user is
# using one of the 'right' zones that take into account leap seconds
# which causes the cookie expiry times to be different.
<setenv>
TZ=GMT
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/we/want/31 -b none -c log/jar31.txt
</command>
<precheck>
perl -e 'if ("%HOSTIP" !~ /127\.0\.0\.1$/) {print "Test only works for HOSTIP 127.0.0.1"; exit(1)}'
</precheck>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /we/want/31 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
</protocol>
<file name="log/jar31.txt" mode="text">
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
127.0.0.1 FALSE /silly/ FALSE 0 ismatch this
127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2
127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1
127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2
127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3
127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4
127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5
127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6
127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7
127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8
127.0.0.1 FALSE /secure9/ TRUE 0 secure very1
#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1
#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2
#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3
#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4
#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8
#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9
127.0.0.1 FALSE / FALSE 0 partmatch present
127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value
#HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir
127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes
</file>
</verify>
</testcase>