From 0b7dd36575821bd6e4e86f7b51ac001e69abddf9 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Fri, 12 Apr 2013 15:53:39 +0200

Subject: [PATCH 1/3] test1216: test tailmatching cookie domains

This test is an attempt to repeat the problem YAMADA Yasuharu reported

at http://curl.haxx.se/mail/lib-2013-04/0108.html

Conflicts:

	tests/data/Makefile.am

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 tests/data/Makefile.am |    2 +-

 tests/data/Makefile.in |    2 +-

 tests/data/test1216    |   62 ++++++++++++++++++++++++++++++++++++++++++++++++

 3 files changed, 64 insertions(+), 2 deletions(-)

 create mode 100644 tests/data/test1216

diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am

index 9f569a3..d714e5d 100644

--- a/tests/data/Makefile.am

+++ b/tests/data/Makefile.am

@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\

 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\

 test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \

 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

-test1208 test1209 test1210 test1211 \

+test1208 test1209 test1210 test1211 test1216 \

 test1220 test1221 test1222 test1223 \

 test1300 test1301 test1302 test1303 test1304 test1305	\

 test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \

diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in

index d5b0918..a070266 100644

--- a/tests/data/Makefile.in

+++ b/tests/data/Makefile.in

@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\

 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\

 test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \

 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

-test1208 test1209 test1210 test1211 \

+test1208 test1209 test1210 test1211 test1216 \

 test1220 test1221 test1222 test1223 \

 test1300 test1301 test1302 test1303 test1304 test1305	\

 test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \

diff --git a/tests/data/test1216 b/tests/data/test1216

new file mode 100644

index 0000000..e63fe92

--- /dev/null

+++ b/tests/data/test1216

@@ -0,0 +1,62 @@

+<testcase>

+<info>

+<keywords>

+HTTP

+HTTP GET

+HTTP proxy

+cookies

+</keywords>

+</info>

+

+# Server-side

+<reply>

+<data>

+HTTP/1.1 200 OK

+Server: Microsoft-IIS/4.0

+Date: Tue, 25 Sep 2001 19:37:44 GMT

+Content-Type: text/html

+Connection: close

+Content-Length: 21

+

+This server says moo

+</data>

+</reply>

+

+# Client-side

+<client>

+<server>

+http

+</server>

+ <name>

+HTTP cookie domains tailmatching the host name

+ </name>

+ <command>

+http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOSTIP:%HTTPPORT

+</command>

+<file name="log/injar1216">

+example.fake	FALSE	/a	FALSE	2139150993	mooo	indeed

+example.fake	FALSE	/b	FALSE	0		moo1	indeed

+example.fake	FALSE	/c	FALSE	2139150993	moo2	indeed

+</file>

+</client>

+

+# Verify data after the test has been "shot"

+<verify>

+<strip>

+^User-Agent:.*

+</strip>

+<protocol>

+GET http://example.fake/c/1216 HTTP/1.1

+Host: example.fake

+Accept: */*

+Proxy-Connection: Keep-Alive

+Cookie: moo2=indeed

+

+GET http://bexample.fake/c/1216 HTTP/1.1

+Host: bexample.fake

+Accept: */*

+Proxy-Connection: Keep-Alive

+

+</protocol>

+</verify>

+</testcase>

-- 

1.7.1

From 6c5a78d0407788b1092bbc8a19b68b01ccb75f8a Mon Sep 17 00:00:00 2001

From: YAMADA Yasuharu <yasuharu.yamada@access-company.com>

Date: Thu, 11 Apr 2013 00:17:15 +0200

Subject: [PATCH 2/3] cookie: fix tailmatching to prevent cross-domain leakage

Cookies set for 'example.com' could accidentaly also be sent by libcurl

to the 'bexample.com' (ie with a prefix to the first domain name).

This is a security vulnerabilty, CVE-2013-1944.

Bug: http://curl.haxx.se/docs/adv_20130412.html

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/cookie.c |   24 +++++++++++++++++++-----

 1 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/lib/cookie.c b/lib/cookie.c

index 18b9155..d4fd78a 100644

--- a/lib/cookie.c

+++ b/lib/cookie.c

@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)

   free(co);

 }

-static bool tailmatch(const char *little, const char *bigone)

+static bool tailmatch(const char *cooke_domain, const char *hostname)

 {

-  size_t littlelen = strlen(little);

-  size_t biglen = strlen(bigone);

+  size_t cookie_domain_len = strlen(cooke_domain);

+  size_t hostname_len = strlen(hostname);

-  if(littlelen > biglen)

+  if(hostname_len < cookie_domain_len)

     return FALSE;

-  return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;

+  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))

+    return FALSE;

+

+  /* A lead char of cookie_domain is not '.'.

+     RFC6265 4.1.2.3. The Domain Attribute says:

+       For example, if the value of the Domain attribute is

+       "example.com", the user agent will include the cookie in the Cookie

+       header when making HTTP requests to example.com, www.example.com, and

+       www.corp.example.com.

+   */

+  if(hostname_len == cookie_domain_len)

+    return TRUE;

+  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))

+    return TRUE;

+  return FALSE;

 }

 /*

-- 

1.7.1

From 6284e78c9421911a24349621c5b63684823d12f7 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Fri, 12 Apr 2013 15:55:57 +0200

Subject: [PATCH 3/3] test1218: another cookie tailmatch test

These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie

domain tailmatch" vulnerability. See

http://curl.haxx.se/docs/adv_20130412.html

Conflicts:

	tests/data/Makefile.am

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 tests/data/Makefile.am |    2 +-

 tests/data/Makefile.in |    2 +-

 tests/data/test1218    |   61 ++++++++++++++++++++++++++++++++++++++++++++++++

 3 files changed, 63 insertions(+), 2 deletions(-)

 create mode 100644 tests/data/test1218

diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am

index d714e5d..3e8dae0 100644

--- a/tests/data/Makefile.am

+++ b/tests/data/Makefile.am

@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\

 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\

 test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \

 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

-test1208 test1209 test1210 test1211 test1216 \

+test1208 test1209 test1210 test1211 test1216 test1218 \

 test1220 test1221 test1222 test1223 \

 test1300 test1301 test1302 test1303 test1304 test1305	\

 test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \

diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in

index a070266..71c9422 100644

--- a/tests/data/Makefile.in

+++ b/tests/data/Makefile.in

@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\

 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\

 test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \

 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

-test1208 test1209 test1210 test1211 test1216 \

+test1208 test1209 test1210 test1211 test1216 test1218 \

 test1220 test1221 test1222 test1223 \

 test1300 test1301 test1302 test1303 test1304 test1305	\

 test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \

diff --git a/tests/data/test1218 b/tests/data/test1218

new file mode 100644

index 0000000..7d86547

--- /dev/null

+++ b/tests/data/test1218

@@ -0,0 +1,61 @@

+<testcase>

+<info>

+<keywords>

+HTTP

+HTTP GET

+HTTP proxy

+cookies

+</keywords>

+</info>

+

+# This test is very similar to 1216, only that it sets the cookies from the

+# first site instead of reading from a file

+<reply>

+<data>

+HTTP/1.1 200 OK

+Date: Tue, 25 Sep 2001 19:37:44 GMT

+Set-Cookie: domain=.example.fake; bug=fixed;

+Content-Length: 21

+

+This server says moo

+</data>

+</reply>

+

+# Client-side

+<client>

+<server>

+http

+</server>

+ <name>

+HTTP cookies and domains with same prefix

+ </name>

+ <command>

+http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT

+</command>

+</client>

+

+# Verify data after the test has been "shot"

+<verify>

+<strip>

+^User-Agent:.*

+</strip>

+<protocol>

+GET http://example.fake/c/1218 HTTP/1.1

+Host: example.fake

+Accept: */*

+Proxy-Connection: Keep-Alive

+

+GET http://example.fake/c/1218 HTTP/1.1

+Host: example.fake

+Accept: */*

+Proxy-Connection: Keep-Alive

+Cookie: bug=fixed

+

+GET http://bexample.fake/c/1218 HTTP/1.1

+Host: bexample.fake

+Accept: */*

+Proxy-Connection: Keep-Alive

+

+</protocol>

+</verify>

+</testcase>

-- 

1.7.1