From: Daniel Stenberg Date: Tue, 10 Dec 2024 11:39:57 +0000 (+0100) Subject: cookie: parse only the exact expire date X-Git-Tag: curl-8_12_0~372 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8c852b9a5e4f92e13e0dc23a13ac3520d822c69;p=thirdparty%2Fcurl.git cookie: parse only the exact expire date The date parser function is very forgiving and skips most "irrelevant" characters in its hunt for a date to figure out. Therefore it is important to make sure the date string is properly null terminated so that it does not accidentally parse a piece of whatever text follows after the date. Add test483: test (overly) long expire dates in cookies Closes #15709 --- diff --git a/lib/cookie.c b/lib/cookie.c index 773e5357d3..aaa65368cf 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -469,6 +469,13 @@ static int invalid_octets(const char *p) #define CERR_PSL 14 /* a public suffix */ #define CERR_LIVE_WINS 15 +/* The maximum length we accept a date string for the 'expire' keyword. The + standard date formats are within the 30 bytes range. This adds an extra + margin just to make sure it realistically works with what is used out + there. +*/ +#define MAX_DATE_LENGTH 80 + static int parse_cookie_header(struct Curl_easy *data, struct Cookie *co, @@ -709,14 +716,17 @@ parse_cookie_header(struct Curl_easy *data, } } else if((nlen == 7) && strncasecompare("expires", namep, 7)) { - if(!co->expires) { + if(!co->expires && (vlen < MAX_DATE_LENGTH)) { /* * Let max-age have priority. * * If the date cannot get parsed for whatever reason, the cookie * will be treated as a session cookie */ - co->expires = Curl_getdate_capped(valuep); + char dbuf[MAX_DATE_LENGTH + 1]; + memcpy(dbuf, valuep, vlen); + dbuf[vlen] = 0; + co->expires = Curl_getdate_capped(dbuf); /* * Session cookies have expires set to 0 so if we get that back diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 776b5934bb..8e2c31863a 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -78,7 +78,7 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ test453 test454 test455 test456 test457 test458 test459 test460 test461 \ test462 test463 test467 test468 test469 test470 test471 test472 test473 \ test474 test475 test476 test477 test478 test479 test480 test481 test482 \ -\ +test483 \ test490 test491 test492 test493 test494 test495 test496 test497 test498 \ test499 test500 test501 test502 test503 test504 test505 test506 test507 \ test508 test509 test510 test511 test512 test513 test514 test515 test516 \ diff --git a/tests/data/test483 b/tests/data/test483 new file mode 100644 index 0000000000..6f4e4828c0 --- /dev/null +++ b/tests/data/test483 @@ -0,0 +1,65 @@ + + + +HTTP +HTTP GET +cookies + + + +# +# Server-side + + +HTTP/1.1 200 OK +Set-Cookie: name=value; expires=Fri Feb 13 11:56:27 GMT 2132 +Set-Cookie: name2=value; expires=Fri Feb 13 11:56:27 ; 2132 +Set-Cookie: name3=value; expires=Fri Feb 13 11:56:27 ...................................................GMT 2132 +Set-Cookie: name4=value; expires=Fri Feb 13 11:56:27 ....................................................GMT 2132 +Accept-Ranges: bytes +Content-Length: 6 +Connection: close + +-foo- + + + +# +# Client-side + + +http + + +large-time + + +HTTP cookies with long expire dates + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER -c %LOGDIR/c%TESTNUMBER + + + +# +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + + + +# Netscape HTTP Cookie File +# https://curl.se/docs/http-cookies.html +# This file was generated by libcurl! Edit at your own risk. + +127.0.0.1 FALSE / FALSE 0 name4 value +127.0.0.1 FALSE / FALSE 5115959787 name3 value +127.0.0.1 FALSE / FALSE 0 name2 value +127.0.0.1 FALSE / FALSE 5115959787 name value + + +