From bd1119154cd8420e15c0a80f994c3c1c4ef67fc5 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 11 May 2022 10:54:59 +0200
Subject: [PATCH] Resolves: CVE-2022-27779 - do not accept cookies for TLD with
 trailing dot

---
 0008-curl-7.82.0-CVE-2022-27779.patch | 144 ++++++++++++++++++++++++++
 curl.spec                             |   5 +
 2 files changed, 149 insertions(+)
 create mode 100644 0008-curl-7.82.0-CVE-2022-27779.patch

diff --git a/0008-curl-7.82.0-CVE-2022-27779.patch b/0008-curl-7.82.0-CVE-2022-27779.patch
new file mode 100644
index 0000000..fad8119
--- /dev/null
+++ b/0008-curl-7.82.0-CVE-2022-27779.patch
@@ -0,0 +1,144 @@
+From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD
+
+When PSL is not enabled
+
+Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test977      | 60 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test977
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index a5b8dc2..98d5516 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
+ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 test970 test971 \
+-test972 test973 test974 test975 test976 \
++test972 test973 test974 test975 test976 test977 \
+ \
+ test980 test981 test982 test983 test984 test985 test986 \
+ \
+diff --git a/tests/data/test977 b/tests/data/test977
+new file mode 100644
+index 0000000..11ff1b7
+--- /dev/null
++++ b/tests/data/test977
+@@ -0,0 +1,60 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++cookies
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 0
++Connection: close
++Content-Type: text/html
++Set-Cookie: a=b; Domain=.me.;
++
++</data>
++
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++</server>
++ <name>
++URL with trailing dot and receiving a cookie for the TLD with dot
++ </name>
++ <command>
++-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET http://firsthost.me./ HTTP/1.1
++Host: firsthost.me.
++User-Agent: curl/%VERSION
++Accept: */*
++Proxy-Connection: Keep-Alive
++
++</protocol>
++<file name="log/cookies%TESTNUMBER" mode="text">
++# Netscape HTTP Cookie File
++# https://curl.se/docs/http-cookies.html
++# This file was generated by libcurl! Edit at your own risk.
++
++</file>
++</verify>
++</testcase>
+-- 
+2.34.1
+
+
+From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 16:47:06 +0200
+Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
+ fine
+
+The check for a dot in the domain must not consider a single trailing
+dot to be fine, as then TLD + trailing dot is fine and curl will accept
+setting cookies for it.
+
+CVE-2022-27779
+
+Reported-by: Axel Chong
+Bug: https://curl.se/docs/CVE-2022-27779.html
+Closes #8820
+
+Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index d418efa..1b8c8f9 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
+ /* Make sure domain contains a dot or is localhost. */
+ static bool bad_domain(const char *domain)
+ {
+-  return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
++  if(strcasecompare(domain, "localhost"))
++    return FALSE;
++  else {
++    /* there must be a dot present, but that dot must not be a trailing dot */
++    char *dot = strchr(domain, '.');
++    if(dot)
++      return dot[1] ? FALSE : TRUE;
++  }
++  return TRUE;
+ }
+ 
+ /*
+-- 
+2.34.1
+
diff --git a/curl.spec b/curl.spec
index 3277682..3c32076 100644
--- a/curl.spec
+++ b/curl.spec
@@ -31,6 +31,9 @@ Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
 # hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
 Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
 
+# do not accept cookies for TLD with trailing dot (CVE-2022-27779)
+Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -212,6 +215,7 @@ be installed.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -440,6 +444,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
+- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
 - hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
 - reject percent-encoded path separator in URL host (CVE-2022-27780)