1From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 9 May 2022 16:47:06 +0200 4Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine 5 6The check for a dot in the domain must not consider a single trailing 7dot to be fine, as then TLD + trailing dot is fine and curl will accept 8setting cookies for it. 9 10CVE-2022-27779 11 12Reported-by: Axel Chong 13Bug: https://curl.se/docs/CVE-2022-27779.html 14Closes #8820 15 16Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] 17Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 18--- 19 lib/cookie.c | 10 +++++++++- 20 1 file changed, 9 insertions(+), 1 deletion(-) 21 22diff --git a/lib/cookie.c b/lib/cookie.c 23index d418efa..1b8c8f9 100644 24--- a/lib/cookie.c 25+++ b/lib/cookie.c 26@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) 27 /* Make sure domain contains a dot or is localhost. */ 28 static bool bad_domain(const char *domain) 29 { 30- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); 31+ if(strcasecompare(domain, "localhost")) 32+ return FALSE; 33+ else { 34+ /* there must be a dot present, but that dot must not be a trailing dot */ 35+ char *dot = strchr(domain, '.'); 36+ if(dot) 37+ return dot[1] ? FALSE : TRUE; 38+ } 39+ return TRUE; 40 } 41 42 /* 43