cookie: reject cookie names or content with TAB characters

TABs in name and content seem allowed by RFC 6265: "the algorithm strips
leading and trailing whitespace from the cookie name and value (but
maintains internal whitespace)"

Cookies with TABs in the names are rejected by Firefox and Chrome.

TABs in content are stripped out by Firefox, while Chrome discards the
whole cookie.

TABs in cookies also cause issues in saved netscape cookie files.

Reported-by: Trail of Bits
URL: https://curl.se/mail/lib-2022-10/0032.html
URL: https://github.com/httpwg/http-extensions/issues/2262

Closes #9659

diff --git a/lib/cookie.c b/lib/cookie.c
index ab790a1cdb0cea45e107d124aec364a7cf2e215a..7f23b417b72d03fbaae0222d4aa36b929c2a083d 100644 (file)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -538,7 +538,7 @@ Curl_cookie_add(struct Curl_easy *data,
     do {
       /* we have a <what>=<this> pair or a stand-alone word here */
       name[0] = what[0] = 0; /* init the buffers */
-      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%"
+      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\t\r\n=] =%"
                      MAX_NAME_TXT "[^;\r\n]",
                      name, what)) {
         /*
@@ -592,6 +592,13 @@ Curl_cookie_add(struct Curl_easy *data,
         while(*whatptr && ISBLANK(*whatptr))
           whatptr++;
 
+        /* Reject cookies with a TAB inside the content */
+        if(strchr(whatptr, '\t')) {
+          freecookie(co);
+          infof(data, "cookie contains TAB, dropping");
+          return NULL;
+        }
+
         /*
          * Check if we have a reserved prefix set before anything else, as we
          * otherwise have to test for the prefix in both the cookie name and