From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 5 Oct 2022 07:12:39 +0000 (+0200)
Subject: cookie: reject cookie names or content with TAB characters
X-Git-Tag: curl-7_86_0~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfe9b59be473c9cc96313dc618595d33d946761a;p=thirdparty%2Fcurl.git

cookie: reject cookie names or content with TAB characters

TABs in name and content seem allowed by RFC 6265: "the algorithm strips
leading and trailing whitespace from the cookie name and value (but
maintains internal whitespace)"

Cookies with TABs in the names are rejected by Firefox and Chrome.

TABs in content are stripped out by Firefox, while Chrome discards the
whole cookie.

TABs in cookies also cause issues in saved netscape cookie files.

Reported-by: Trail of Bits

URL: https://curl.se/mail/lib-2022-10/0032.html
URL: https://github.com/httpwg/http-extensions/issues/2262

Closes #9659
---

diff --git a/lib/cookie.c b/lib/cookie.c
index ab790a1cdb..7f23b417b7 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -538,7 +538,7 @@ Curl_cookie_add(struct Curl_easy *data,
     do {
       /* we have a <what>=<this> pair or a stand-alone word here */
       name[0] = what[0] = 0; /* init the buffers */
-      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%"
+      if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\t\r\n=] =%"
                      MAX_NAME_TXT "[^;\r\n]",
                      name, what)) {
         /*
@@ -592,6 +592,13 @@ Curl_cookie_add(struct Curl_easy *data,
         while(*whatptr && ISBLANK(*whatptr))
           whatptr++;
 
+        /* Reject cookies with a TAB inside the content */
+        if(strchr(whatptr, '\t')) {
+          freecookie(co);
+          infof(data, "cookie contains TAB, dropping");
+          return NULL;
+        }
+
         /*
          * Check if we have a reserved prefix set before anything else, as we
          * otherwise have to test for the prefix in both the cookie name and