You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
295 lines
8.6 KiB
295 lines
8.6 KiB
From 0b7dd36575821bd6e4e86f7b51ac001e69abddf9 Mon Sep 17 00:00:00 2001 |
|
From: Kamil Dudka <kdudka@redhat.com> |
|
Date: Fri, 12 Apr 2013 15:53:39 +0200 |
|
Subject: [PATCH 1/3] test1216: test tailmatching cookie domains |
|
|
|
This test is an attempt to repeat the problem YAMADA Yasuharu reported |
|
at http://curl.haxx.se/mail/lib-2013-04/0108.html |
|
|
|
Conflicts: |
|
|
|
tests/data/Makefile.am |
|
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
tests/data/Makefile.am | 2 +- |
|
tests/data/Makefile.in | 2 +- |
|
tests/data/test1216 | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ |
|
3 files changed, 64 insertions(+), 2 deletions(-) |
|
create mode 100644 tests/data/test1216 |
|
|
|
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am |
|
index 9f569a3..d714e5d 100644 |
|
--- a/tests/data/Makefile.am |
|
+++ b/tests/data/Makefile.am |
|
@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ |
|
test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ |
|
test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ |
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ |
|
-test1208 test1209 test1210 test1211 \ |
|
+test1208 test1209 test1210 test1211 test1216 \ |
|
test1220 test1221 test1222 test1223 \ |
|
test1300 test1301 test1302 test1303 test1304 test1305 \ |
|
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ |
|
diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in |
|
index d5b0918..a070266 100644 |
|
--- a/tests/data/Makefile.in |
|
+++ b/tests/data/Makefile.in |
|
@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ |
|
test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ |
|
test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ |
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ |
|
-test1208 test1209 test1210 test1211 \ |
|
+test1208 test1209 test1210 test1211 test1216 \ |
|
test1220 test1221 test1222 test1223 \ |
|
test1300 test1301 test1302 test1303 test1304 test1305 \ |
|
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ |
|
diff --git a/tests/data/test1216 b/tests/data/test1216 |
|
new file mode 100644 |
|
index 0000000..e63fe92 |
|
--- /dev/null |
|
+++ b/tests/data/test1216 |
|
@@ -0,0 +1,62 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+HTTP GET |
|
+HTTP proxy |
|
+cookies |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# Server-side |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 200 OK |
|
+Server: Microsoft-IIS/4.0 |
|
+Date: Tue, 25 Sep 2001 19:37:44 GMT |
|
+Content-Type: text/html |
|
+Connection: close |
|
+Content-Length: 21 |
|
+ |
|
+This server says moo |
|
+</data> |
|
+</reply> |
|
+ |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+</server> |
|
+ <name> |
|
+HTTP cookie domains tailmatching the host name |
|
+ </name> |
|
+ <command> |
|
+http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOSTIP:%HTTPPORT |
|
+</command> |
|
+<file name="log/injar1216"> |
|
+example.fake FALSE /a FALSE 2139150993 mooo indeed |
|
+example.fake FALSE /b FALSE 0 moo1 indeed |
|
+example.fake FALSE /c FALSE 2139150993 moo2 indeed |
|
+</file> |
|
+</client> |
|
+ |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<strip> |
|
+^User-Agent:.* |
|
+</strip> |
|
+<protocol> |
|
+GET http://example.fake/c/1216 HTTP/1.1 |
|
+Host: example.fake |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+Cookie: moo2=indeed |
|
+ |
|
+GET http://bexample.fake/c/1216 HTTP/1.1 |
|
+Host: bexample.fake |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
-- |
|
1.7.1 |
|
|
|
|
|
From 6c5a78d0407788b1092bbc8a19b68b01ccb75f8a Mon Sep 17 00:00:00 2001 |
|
From: YAMADA Yasuharu <yasuharu.yamada@access-company.com> |
|
Date: Thu, 11 Apr 2013 00:17:15 +0200 |
|
Subject: [PATCH 2/3] cookie: fix tailmatching to prevent cross-domain leakage |
|
|
|
Cookies set for 'example.com' could accidentaly also be sent by libcurl |
|
to the 'bexample.com' (ie with a prefix to the first domain name). |
|
|
|
This is a security vulnerabilty, CVE-2013-1944. |
|
|
|
Bug: http://curl.haxx.se/docs/adv_20130412.html |
|
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/cookie.c | 24 +++++++++++++++++++----- |
|
1 files changed, 19 insertions(+), 5 deletions(-) |
|
|
|
diff --git a/lib/cookie.c b/lib/cookie.c |
|
index 18b9155..d4fd78a 100644 |
|
--- a/lib/cookie.c |
|
+++ b/lib/cookie.c |
|
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) |
|
free(co); |
|
} |
|
|
|
-static bool tailmatch(const char *little, const char *bigone) |
|
+static bool tailmatch(const char *cooke_domain, const char *hostname) |
|
{ |
|
- size_t littlelen = strlen(little); |
|
- size_t biglen = strlen(bigone); |
|
+ size_t cookie_domain_len = strlen(cooke_domain); |
|
+ size_t hostname_len = strlen(hostname); |
|
|
|
- if(littlelen > biglen) |
|
+ if(hostname_len < cookie_domain_len) |
|
return FALSE; |
|
|
|
- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; |
|
+ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) |
|
+ return FALSE; |
|
+ |
|
+ /* A lead char of cookie_domain is not '.'. |
|
+ RFC6265 4.1.2.3. The Domain Attribute says: |
|
+ For example, if the value of the Domain attribute is |
|
+ "example.com", the user agent will include the cookie in the Cookie |
|
+ header when making HTTP requests to example.com, www.example.com, and |
|
+ www.corp.example.com. |
|
+ */ |
|
+ if(hostname_len == cookie_domain_len) |
|
+ return TRUE; |
|
+ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) |
|
+ return TRUE; |
|
+ return FALSE; |
|
} |
|
|
|
/* |
|
-- |
|
1.7.1 |
|
|
|
|
|
From 6284e78c9421911a24349621c5b63684823d12f7 Mon Sep 17 00:00:00 2001 |
|
From: Kamil Dudka <kdudka@redhat.com> |
|
Date: Fri, 12 Apr 2013 15:55:57 +0200 |
|
Subject: [PATCH 3/3] test1218: another cookie tailmatch test |
|
|
|
These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie |
|
domain tailmatch" vulnerability. See |
|
http://curl.haxx.se/docs/adv_20130412.html |
|
|
|
Conflicts: |
|
|
|
tests/data/Makefile.am |
|
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
tests/data/Makefile.am | 2 +- |
|
tests/data/Makefile.in | 2 +- |
|
tests/data/test1218 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ |
|
3 files changed, 63 insertions(+), 2 deletions(-) |
|
create mode 100644 tests/data/test1218 |
|
|
|
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am |
|
index d714e5d..3e8dae0 100644 |
|
--- a/tests/data/Makefile.am |
|
+++ b/tests/data/Makefile.am |
|
@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ |
|
test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ |
|
test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ |
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ |
|
-test1208 test1209 test1210 test1211 test1216 \ |
|
+test1208 test1209 test1210 test1211 test1216 test1218 \ |
|
test1220 test1221 test1222 test1223 \ |
|
test1300 test1301 test1302 test1303 test1304 test1305 \ |
|
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ |
|
diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in |
|
index a070266..71c9422 100644 |
|
--- a/tests/data/Makefile.in |
|
+++ b/tests/data/Makefile.in |
|
@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ |
|
test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ |
|
test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ |
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ |
|
-test1208 test1209 test1210 test1211 test1216 \ |
|
+test1208 test1209 test1210 test1211 test1216 test1218 \ |
|
test1220 test1221 test1222 test1223 \ |
|
test1300 test1301 test1302 test1303 test1304 test1305 \ |
|
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ |
|
diff --git a/tests/data/test1218 b/tests/data/test1218 |
|
new file mode 100644 |
|
index 0000000..7d86547 |
|
--- /dev/null |
|
+++ b/tests/data/test1218 |
|
@@ -0,0 +1,61 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+HTTP GET |
|
+HTTP proxy |
|
+cookies |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# This test is very similar to 1216, only that it sets the cookies from the |
|
+# first site instead of reading from a file |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 200 OK |
|
+Date: Tue, 25 Sep 2001 19:37:44 GMT |
|
+Set-Cookie: domain=.example.fake; bug=fixed; |
|
+Content-Length: 21 |
|
+ |
|
+This server says moo |
|
+</data> |
|
+</reply> |
|
+ |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+</server> |
|
+ <name> |
|
+HTTP cookies and domains with same prefix |
|
+ </name> |
|
+ <command> |
|
+http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT |
|
+</command> |
|
+</client> |
|
+ |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<strip> |
|
+^User-Agent:.* |
|
+</strip> |
|
+<protocol> |
|
+GET http://example.fake/c/1218 HTTP/1.1 |
|
+Host: example.fake |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+GET http://example.fake/c/1218 HTTP/1.1 |
|
+Host: example.fake |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+Cookie: bug=fixed |
|
+ |
|
+GET http://bexample.fake/c/1218 HTTP/1.1 |
|
+Host: bexample.fake |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
-- |
|
1.7.1 |
|
|
|
|