curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-10 14:12:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

cookie: accept "high byte" cookie content

Browse Source 
Regression from 597ee915c4 (not shipped in a release)
Reported-by: Carlos Henrique Lima Melara
Assisted-by: Scott Talbert

Added such a cookie to test 31.

Fixes #16692
Closes #16703
This commit is contained in:
Daniel Stenberg 2025-03-13 08:22:11 +01:00
parent 51d8213579
commit 5a26b901d4
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/cookie.c
View File

@ -434,8 +434,9 @@ static bool bad_domain(const char *domain, size_t len)
fine. The prime reason for filtering out control bytes is that some HTTP fine. The prime reason for filtering out control bytes is that some HTTP
servers return 400 for requests that contain such. servers return 400 for requests that contain such.
*/ */
static bool invalid_octets(const char *p) static bool invalid_octets(const char *ptr)
{ {
const unsigned char *p = (const unsigned char *)ptr;
/* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
while(*p) { while(*p) {
if(((*p != 9) && (*p < 0x20)) || (*p == 0x7f)) if(((*p != 9) && (*p < 0x20)) || (*p == 0x7f))

2
tests/data/test31
View File

@ -68,6 +68,7 @@ Set-Cookie: withspaces= yes within and around ;
Set-Cookie: withspaces2 =before equals; Set-Cookie: withspaces2 =before equals;
Set-Cookie: prespace= yes before; Set-Cookie: prespace= yes before;
Set-Cookie: securewithspace=after ; secure = Set-Cookie: securewithspace=after ; secure =
Set-Cookie: ³Ã\x92Ã\x9aÃ\x8dÃ\x97=%96%A6g%9Ay%B0%A5g%A7tm%7C%95%9A
boo boo
</data> </data>
@ -110,6 +111,7 @@ Accept: */*
# https://curl.se/docs/http-cookies.html # https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk. # This file was generated by libcurl! Edit at your own risk.
test31.curl FALSE /we/want/ FALSE 0 ³Ã\x92Ã\x9aÃ\x8dÃ\x97 %96%A6g%9Ay%B0%A5g%A7tm%7C%95%9A
test31.curl FALSE /we/want/ FALSE 0 prespace yes before test31.curl FALSE /we/want/ FALSE 0 prespace yes before
test31.curl FALSE /we/want/ FALSE 0 withspaces2 before equals test31.curl FALSE /we/want/ FALSE 0 withspaces2 before equals
test31.curl FALSE /we/want/ FALSE 0 withspaces yes within and around test31.curl FALSE /we/want/ FALSE 0 withspaces yes within and around