Compare commits

...

1 Commits

Author SHA1 Message Date
Xavier Roche
8df74c34ab Bound the cookie default-domain copy against a hostile over-long host
treathead seeds each Set-Cookie's default domain from the request host with a
strcpybuff into domain[256]. A 256+ byte host, reachable via a redirect
Location (sized HTS_URLMAXSIZE), overflows the fail-safe copy and aborts the
whole mirror. Drop such a Set-Cookie instead, matching the existing too-long
handling of the explicit domain= attribute.

Adds a cookies self-test driving treathead with a 599-byte host (aborts
without the guard) plus a normal-host control.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Xavier Roche <roche@httrack.com>
2026-07-12 15:13:00 +02:00
2 changed files with 24 additions and 0 deletions

View File

@@ -1708,6 +1708,9 @@ void treathead(t_cookie * cookie, const char *adr, const char *fil, htsblk * ret
#if DEBUG_COOK
printf("set-cookie detected\n");
#endif
/* Over-long host overflows the fail-safe domain[] copy (abort); drop it. */
if (adr && strlen(jump_identification_const(adr)) >= sizeof(domain))
return;
while(*a) {
char *token_st, *token_end;
char *value_st, *value_end;

View File

@@ -1816,6 +1816,27 @@ static int st_cookies(httrackp *opt, int argc, char **argv) {
http_cookie_header(&cookie, dom, "/", hdr, sizeof(hdr));
if (strcmp(hdr, expected) != 0)
err = 1;
/* A hostile over-long request host must not overflow domain[256] in
treathead's default-domain copy (that would abort the mirror). */
{
static t_cookie ck2;
htsblk r;
char host[600];
memset(&r, 0, sizeof(r));
memset(host, 'a', sizeof(host) - 1);
host[sizeof(host) - 1] = '\0';
ck2.max_len = (int) sizeof(ck2.data);
ck2.data[0] = '\0';
treathead(&ck2, host, "/", &r, "Set-Cookie: SID=1; path=/");
if (strnotempty(ck2.data)) // oversize-host cookie was not dropped
err = 1;
/* control: a normal host still yields a cookie through treathead */
treathead(&ck2, dom, "/", &r, "Set-Cookie: SID=1; path=/");
if (strstr(ck2.data, "SID") == NULL) // guard wrongly dropped a valid cookie
err = 1;
}
if (strstr(hdr, "$Version") != NULL || strstr(hdr, "$Path") != NULL)
err = 1;
if (strstr(hdr, "junk") != NULL) // wrong-domain cookie leaked