Fix cookie injection (CVE-2018-0494)

* src/http.c (resp_new): Replace \r\n by space in continuation lines Fixes #53763 "Malicious website can write arbitrary cookie entries to cookie jar" HTTP header parsing left the \r\n from continuation line intact. The Set-Cookie code didn't check and could be tricked to write \r\n into the cookie jar, allowing a server to generate cookies at will.
2025-03-28 13:00:10 +08:00 · 2018-04-27 10:41:56 +02:00 · 2018-04-27 10:41:56 +02:00 · 1fc9c95ec1
commit 1fc9c95ec1
parent f51936745a
1 changed files with 13 additions and 5 deletions
--- a/src/http.c
+++ b/src/http.c
@ -613,9 +613,9 @@ struct response {
   resp_header_*.  */

 static struct response *
-resp_new (const char *head)
+resp_new (char *head)
 {
-  const char *hdr;
+  char *hdr;
  int count, size;

  struct response *resp = xnew0 (struct response);
@ -644,15 +644,23 @@ resp_new (const char *head)
        break;

      /* Find the end of HDR, including continuations. */
-      do
+      for (;;)
        {
-          const char *end = strchr (hdr, '\n');
+          char *end = strchr (hdr, '\n');
+
          if (end)
            hdr = end + 1;
          else
            hdr += strlen (hdr);
+
+          if (*hdr != ' ' && *hdr != '\t')
+            break;
+
+          // continuation, transform \r and \n into spaces
+          *end = ' ';
+          if (end > head && end[-1] == '\r')
+            end[-1] = ' ';
        }
-      while (*hdr == ' ' || *hdr == '\t');
    }
  DO_REALLOC (resp->headers, size, count + 1, const char *);
  resp->headers[count] = NULL;