cookies: tricked dotcounter fixed

Providing multiple dots in a series in the domain field (domain=..com) could
trick the cookie engine to wrongly accept the cookie believing it to be
fine. Since the tailmatching would then match all .com sites, the cookie would
then be sent to all of them.

The code now requires at least one letter between each dot for them to be
counted. Edited test case 61 to verify this.

diff --git a/lib/cookie.c b/lib/cookie.c
index c6460a1..d40cbb8 100644 (file)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -270,6 +270,7 @@ Curl_cookie_add(struct SessionHandle *data,
                we don't care about that, we treat the names the same anyway */
 
             const char *domptr=whatptr;
+            const char *nextptr;
             int dotcount=1;
 
             /* Count the dots, we need to make sure that there are enough
@@ -280,12 +281,13 @@ Curl_cookie_add(struct SessionHandle *data,
               domptr++;
 
             do {
-              domptr = strchr(domptr, '.');
-              if(domptr) {
-                domptr++;
-                dotcount++;
+              nextptr = strchr(domptr, '.');
+              if(nextptr) {
+                if(domptr != nextptr)
+                  dotcount++;
+                domptr = nextptr+1;
               }
-            } while(domptr);
+            } while(nextptr);
 
             /* The original Netscape cookie spec defined that this domain name
                MUST have three dots (or two if one of the seven holy TLDs),

diff --git a/tests/data/test61 b/tests/data/test61
index f2a6a4e..da05616 100644 (file)
--- a/tests/data/test61
+++ b/tests/data/test61
@@ -22,6 +22,7 @@ SET-COOKIE: test2=yes; domain=host.foo.com; expires=Fri Feb 2 11:56:27 GMT 2035
 Set-Cookie: test3=maybe; domain=foo.com; path=/moo; secure\r
 Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure\r
 Set-Cookie: test5=name; domain=anything.com; path=/ ; secure\r
+Set-Cookie: fake=fooledyou; domain=..com; path=/;\r
 Content-Length: 4\r
 \r
 boo