From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 16:47:06 +0200
Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD

When PSL is not enabled

Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 tests/data/Makefile.inc |  2 +-
 tests/data/test977      | 60 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/test977

diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index a5b8dc2..98d5516 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
 test945 test946 test947 test948 test949 test950 test951 test952 test953 \
 test954 test955 test956 test957 test958 test959 test960 test961 test962 \
 test963 test964 test965 test966 test967 test968 test969 test970 test971 \
-test972 test973 test974 test975 test976 \
+test972 test973 test974 test975 test976 test977 \
 \
 test980 test981 test982 test983 test984 test985 test986 \
 \
diff --git a/tests/data/test977 b/tests/data/test977
new file mode 100644
index 0000000..11ff1b7
--- /dev/null
+++ b/tests/data/test977
@@ -0,0 +1,60 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 0
+Connection: close
+Content-Type: text/html
+Set-Cookie: a=b; Domain=.me.;
+
+</data>
+
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+</server>
+ <name>
+URL with trailing dot and receiving a cookie for the TLD with dot
+ </name>
+ <command>
+-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET http://firsthost.me./ HTTP/1.1
+Host: firsthost.me.
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<file name="log/cookies%TESTNUMBER" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+</file>
+</verify>
+</testcase>
-- 
2.34.1


From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 16:47:06 +0200
Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
 fine

The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.

CVE-2022-27779

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.html
Closes #8820

Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/cookie.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/cookie.c b/lib/cookie.c
index d418efa..1b8c8f9 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
 /* Make sure domain contains a dot or is localhost. */
 static bool bad_domain(const char *domain)
 {
-  return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+  if(strcasecompare(domain, "localhost"))
+    return FALSE;
+  else {
+    /* there must be a dot present, but that dot must not be a trailing dot */
+    char *dot = strchr(domain, '.');
+    if(dot)
+      return dot[1] ? FALSE : TRUE;
+  }
+  return TRUE;
 }
 
 /*
-- 
2.34.1