From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 18 Oct 2024 07:38:13 +0000 (+0200)
Subject: hsts: support "implied LWS" properly around max-age
X-Git-Tag: curl-8_11_0~118
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ea61a0b546fb054459384b2a225e9dd774088de;p=thirdparty%2Fcurl.git

hsts: support "implied LWS" properly around max-age

Adjust test 780 to verify.

Reported-by: newfunction
Closes #15330
---

diff --git a/lib/hsts.c b/lib/hsts.c
index 12052ce53c..5b0137263b 100644
--- a/lib/hsts.c
+++ b/lib/hsts.c
@@ -159,7 +159,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
   do {
     while(*p && ISBLANK(*p))
       p++;
-    if(strncasecompare("max-age=", p, 8)) {
+    if(strncasecompare("max-age", p, 7)) {
       bool quoted = FALSE;
       CURLofft offt;
       char *endp;
@@ -167,9 +167,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
       if(gotma)
         return CURLE_BAD_FUNCTION_ARGUMENT;
 
-      p += 8;
+      p += 7;
       while(*p && ISBLANK(*p))
         p++;
+      if(*p++ != '=')
+        return CURLE_BAD_FUNCTION_ARGUMENT;
+      while(*p && ISBLANK(*p))
+        p++;
+
       if(*p == '\"') {
         p++;
         quoted = TRUE;
diff --git a/tests/data/test780 b/tests/data/test780
index 3db14d193d..cdb8b711f7 100644
--- a/tests/data/test780
+++ b/tests/data/test780
@@ -22,7 +22,7 @@ Date: Tue, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake swsclose
 Content-Type: text/html
 Funny-head: yesyes
-Strict-Transport-Security: max-age=1000
+Strict-Transport-Security: max-age  = 1000
 
 </data>
 </reply>
@@ -68,7 +68,7 @@ Date: Tue, 09 Nov 2010 14:49:00 GMT
 Server: test-server/fake swsclose
 Content-Type: text/html
 Funny-head: yesyes
-Strict-Transport-Security: max-age=1000
+Strict-Transport-Security: max-age  = 1000
 
 </stdout>