Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot
This commit is contained in:
Kamil Dudka
parent
d8e56f956c
commit
bd1119154c
|
|
@ -0,0 +1,144 @@
|
|||
From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 16:47:06 +0200
|
||||
Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD
|
||||
|
||||
When PSL is not enabled
|
||||
|
||||
Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/data/Makefile.inc | 2 +-
|
||||
tests/data/test977 | 60 +++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/data/test977
|
||||
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index a5b8dc2..98d5516 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||
-test972 test973 test974 test975 test976 \
|
||||
+test972 test973 test974 test975 test976 test977 \
|
||||
\
|
||||
test980 test981 test982 test983 test984 test985 test986 \
|
||||
\
|
||||
diff --git a/tests/data/test977 b/tests/data/test977
|
||||
new file mode 100644
|
||||
index 0000000..11ff1b7
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test977
|
||||
@@ -0,0 +1,60 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+cookies
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Content-Length: 0
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Set-Cookie: a=b; Domain=.me.;
|
||||
+
|
||||
+</data>
|
||||
+
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<features>
|
||||
+proxy
|
||||
+</features>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+URL with trailing dot and receiving a cookie for the TLD with dot
|
||||
+ </name>
|
||||
+ <command>
|
||||
+-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<protocol>
|
||||
+GET http://firsthost.me./ HTTP/1.1
|
||||
+Host: firsthost.me.
|
||||
+User-Agent: curl/%VERSION
|
||||
+Accept: */*
|
||||
+Proxy-Connection: Keep-Alive
|
||||
+
|
||||
+</protocol>
|
||||
+<file name="log/cookies%TESTNUMBER" mode="text">
|
||||
+# Netscape HTTP Cookie File
|
||||
+# https://curl.se/docs/http-cookies.html
|
||||
+# This file was generated by libcurl! Edit at your own risk.
|
||||
+
|
||||
+</file>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 9 May 2022 16:47:06 +0200
|
||||
Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
|
||||
fine
|
||||
|
||||
The check for a dot in the domain must not consider a single trailing
|
||||
dot to be fine, as then TLD + trailing dot is fine and curl will accept
|
||||
setting cookies for it.
|
||||
|
||||
CVE-2022-27779
|
||||
|
||||
Reported-by: Axel Chong
|
||||
Bug: https://curl.se/docs/CVE-2022-27779.html
|
||||
Closes #8820
|
||||
|
||||
Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/cookie.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||
index d418efa..1b8c8f9 100644
|
||||
--- a/lib/cookie.c
|
||||
+++ b/lib/cookie.c
|
||||
@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
|
||||
/* Make sure domain contains a dot or is localhost. */
|
||||
static bool bad_domain(const char *domain)
|
||||
{
|
||||
- return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
|
||||
+ if(strcasecompare(domain, "localhost"))
|
||||
+ return FALSE;
|
||||
+ else {
|
||||
+ /* there must be a dot present, but that dot must not be a trailing dot */
|
||||
+ char *dot = strchr(domain, '.');
|
||||
+ if(dot)
|
||||
+ return dot[1] ? FALSE : TRUE;
|
||||
+ }
|
||||
+ return TRUE;
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -31,6 +31,9 @@ Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
|
|||
# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||
Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
|
||||
|
||||
# do not accept cookies for TLD with trailing dot (CVE-2022-27779)
|
||||
Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
|
@ -212,6 +215,7 @@ be installed.
|
|||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
|
@ -440,6 +444,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||
|
||||
%changelog
|
||||
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||
- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
|
||||
- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||
- reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue