cookie: trim trailing dots when checking PSL

author Daniel Stenberg <daniel@haxx.se>

Fri, 15 May 2026 22:19:09 +0000 (00:19 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Sat, 16 May 2026 09:24:28 +0000 (11:24 +0200)
author Daniel Stenberg <daniel@haxx.se>
Fri, 15 May 2026 22:19:09 +0000 (00:19 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Sat, 16 May 2026 09:24:28 +0000 (11:24 +0200)
diff --git a/lib/cookie.c b/lib/cookie.c

index 7ecef3a666bd1061a8c8465a80d692b8726fc382..0b45798fca2a6e059b2421a96d8661571b989319 100644 (file)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -779,12 +779,21 @@ static bool is_public_suffix(struct Curl_easy *data,
      char lcookie[256];
      size_t dlen = strlen(domain);
      size_t clen = strlen(co->domain);
+
+    /* trim trailing dots */
+    if(dlen && (domain[dlen - 1] == '.'))
+      dlen--;
+    if(clen && (co->domain[clen - 1] == '.'))
+      clen--;
+
      if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
        const psl_ctx_t *psl = Curl_psl_use(data);
        if(psl) {
          /* the PSL check requires lowercase domain name and pattern */
-        Curl_strntolower(lcase, domain, dlen + 1);
-        Curl_strntolower(lcookie, co->domain, clen + 1);
+        Curl_strntolower(lcase, domain, dlen);
+        lcase[dlen] = 0;
+        Curl_strntolower(lcookie, co->domain, clen);
+        lcookie[clen] = 0;
          acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
          Curl_psl_release(data);
        }
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am

index 166de82cf7ccb9aeb16163aba081d01a4c279134..f9d0e769f675d9b16d52ab83d472220ff41beb24 100644 (file)
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -214,7 +214,7 @@ test1596 test1597 test1598 test1599 test1600 test1601 test1602 test1603 \
  test1604 test1605 test1606 test1607 test1608 test1609 test1610 test1611 \
  test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 \
  test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 \
-test1628 \
+test1628 test1629 \
  \
  test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 \
  test1638 test1639 test1640 test1641 test1642 test1643 test1644 test1645 \
diff --git a/tests/data/test1629 b/tests/data/test1629

new file mode 100644 (file)

index 0000000..6ee479b
--- /dev/null
+++ b/tests/data/test1629
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers">
+HTTP/1.1 200 OK
+Content-Length: 6
+Set-Cookie: something=1; Domain=co.uk.; Path=/
+
+-foo-
+</data>
+</reply>
+
+# Client-side
+<client>
+<features>
+PSL
+cookies
+</features>
+<server>
+http
+</server>
+<name>
+cookies with trailing dot after PSL domain
+</name>
+<command>
+http://foo.co.uk.:%HTTPPORT/ http://bar.co.uk.:%HTTPPORT/ -b "" --resolve foo.co.uk.:%HTTPPORT:%HOSTIP --resolve bar.co.uk.:%HTTPPORT:%HOSTIP
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET / HTTP/1.1
+Host: foo.co.uk.:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+GET / HTTP/1.1
+Host: bar.co.uk.:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
author	Daniel Stenberg <daniel@haxx.se>
	Fri, 15 May 2026 22:19:09 +0000 (00:19 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Sat, 16 May 2026 09:24:28 +0000 (11:24 +0200)
lib/cookie.c		patch \| blob \| blame \| history
tests/data/Makefile.am		patch \| blob \| blame \| history
tests/data/test1629	[new file with mode: 0644]	patch \| blob