curl-library
[PATCH] Add support for Mozilla's Publix Suffix List
From: Tim Rühsen <tim.ruehsen_at_gmx.de>
Date: Tue, 29 Sep 2015 11:33:01 +0200
Date: Tue, 29 Sep 2015 11:33:01 +0200
Use libpsl to check the domain value of Set-Cookie headers
(and cookie jar entries) for not being a Publix Suffix.
Ref: https://publicsuffix.org/
Ref: https://github.com/publicsuffix/list
Ref: https://github.com/rockdaboot/libpsl
---
configure.ac | 14 ++++++++++++
lib/cookie.c | 21 +++++++++++++++++
lib/version.c | 9 ++++++++
src/tool_help.c | 3 +++
tests/data/Makefile.inc | 1 +
tests/data/test1136 | 60 +++++++++++++++++++++++++++++++++++++++++++++++++
tests/runtests.pl | 18 ++++++++++++++-
7 files changed, 125 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test1136
diff --git a/configure.ac b/configure.ac
index 26d77eb..771deac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -166,6 +166,7 @@ curl_verbose_msg="enabled (--disable-verbose)"
curl_rtsp_msg="no (--enable-rtsp)"
curl_rtmp_msg="no (--with-librtmp)"
curl_mtlnk_msg="no (--with-libmetalink)"
+ curl_psl_msg="no (--with-libpsl)"
init_ssl_msg=${curl_ssl_msg}
@@ -2314,6 +2315,18 @@ dnl **********************************************************************
CURL_CHECK_CA_BUNDLE
dnl **********************************************************************
+dnl Check for libpsl
+dnl **********************************************************************
+
+AC_ARG_WITH(libpsl, AS_HELP_STRING([--without-libpsl], [disable support for libpsl cookie checking]), with_libpsl=$withval, with_libpsl=yes)
+if test $with_libpsl != "no"; then
+ AC_SEARCH_LIBS(psl_builtin, psl,
+ [curl_psl_msg="yes"; AC_DEFINE([USE_LIBPSL], [1], [PSL support enabled])],
+ [curl_psl_msg="no (libpsl not found)"; AC_MSG_WARN(*** libpsl was not found. Supercookie vulnerability possible.)])
+fi
+AM_CONDITIONAL([USE_LIBPSL], [test "$curl_psl_msg" = "yes"])
+
+dnl **********************************************************************
dnl Check for libmetalink
dnl **********************************************************************
@@ -3741,6 +3754,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
RTSP support: ${curl_rtsp_msg}
RTMP support: ${curl_rtmp_msg}
metalink support: ${curl_mtlnk_msg}
+ PSL support: ${curl_psl_msg}
HTTP2 support: ${curl_h2_msg}
Protocols: ${SUPPORT_PROTOCOLS}
])
diff --git a/lib/cookie.c b/lib/cookie.c
index 22730cf..e09cea1 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -84,6 +84,10 @@ Example set of cookies:
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_COOKIES)
+#ifdef USE_LIBPSL
+# include <libpsl.h>
+#endif
+
#include "curl_printf.h"
#include "urldata.h"
#include "cookie.h"
@@ -379,6 +383,10 @@ Curl_cookie_add(struct SessionHandle *data,
bool replace_old = FALSE;
bool badcookie = FALSE; /* cookies are good by default. mmmmm yummy */
+#ifdef USE_LIBPSL
+ const psl_ctx_t *psl;
+#endif
+
#ifdef CURL_DISABLE_VERBOSE_STRINGS
(void)data;
#endif
@@ -777,6 +785,19 @@ Curl_cookie_add(struct SessionHandle *data,
/* at first, remove expired cookies */
remove_expired(c);
+#ifdef USE_LIBPSL
+ /* Check if the domain is a Public Suffix and if yes, ignore the cookie.
+ This needs a libpsl compiled with builtin data. */
+ if(co->domain && !isip(co->domain) && (psl = psl_builtin()) != NULL) {
+ if(psl_is_public_suffix(psl, co->domain)) {
+ /* infof("cookie '%s' dropped, domain '%s' is a public suffix\n", co->name, co->domain); */
+ fprintf(stderr,"cookie '%s' dropped, domain '%s' is a public suffix\n", co->name, co->domain);
+ freecookie(co);
+ return NULL;
+ }
+ }
+#endif
+
clist = c->cookies;
replace_old = FALSE;
while(clist) {
diff --git a/lib/version.c b/lib/version.c
index 1727c5a..8784c2b 100644
--- a/lib/version.c
+++ b/lib/version.c
@@ -40,6 +40,10 @@
#include <stringprep.h>
#endif
+#ifdef USE_LIBPSL
+#include <libpsl.h>
+#endif
+
#if defined(HAVE_ICONV) && defined(CURL_DOES_CONVERSIONS)
#include <iconv.h>
#endif
@@ -100,6 +104,11 @@ char *curl_version(void)
ptr += len;
}
#endif
+#ifdef USE_LIBPSL
+ len = snprintf(ptr, left, " libpsl/%s", psl_get_version());
+ left -= len;
+ ptr += len;
+#endif
#ifdef USE_WIN32_IDN
len = snprintf(ptr, left, " WinIDN");
left -= len;
diff --git a/src/tool_help.c b/src/tool_help.c
index 355fe7d..4f569cd 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -317,6 +317,9 @@ void tool_version_info(void)
#ifdef USE_METALINK
printf("Metalink ");
#endif
+#ifdef USE_LIBPSL
+ printf("PSL ");
+#endif
puts(""); /* newline */
}
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index d84b4e2..b053534 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -118,6 +118,7 @@ test1104 test1105 test1106 test1107 test1108 test1109 test1110 test1111 \
test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 \
test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+test1136 \
\
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
diff --git a/tests/data/test1136 b/tests/data/test1136
new file mode 100644
index 0000000..16c48b2
--- /dev/null
+++ b/tests/data/test1136
@@ -0,0 +1,60 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP proxy
+cookies
+cookiejar
+PSL
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 4
+Content-Type: text/html
+Funny-head: yesyes
+Set-Cookie: test1=forbidden1; domain=example.ck; path=/;
+Set-Cookie: test2=allowed2; domain=www.example.ck; path=/;
+Set-Cookie: test3=forbidden3; domain=ck; path=/;
+Set-Cookie: test4=allowed4; domain=www.ck; path=/;
+Set-Cookie: test5=forbidden5; domain=z-1.compute-1.amazonaws.com; path=/;
+
+boo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+Check cookies against PSL
+</name>
+<setenv>
+TZ=GMT
+</setenv>
+<command>
+http://www.example.ck/1136 http://www.ck/1136 http://z-1.compute-1.amazonaws.com/1136 -b none -c log/jar1136.txt -x %HOSTIP:%HTTPPORT
+</command>
+
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<file name="log/jar1136.txt" mode="text">
+# Netscape HTTP Cookie File
+# http://curl.haxx.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+.www.example.ck TRUE / FALSE 0 test2 allowed2
+.www.ck TRUE / FALSE 0 test4 allowed4
+</file>
+</verify>
+</testcase>
diff --git a/tests/runtests.pl b/tests/runtests.pl
index 377d733..6e9f4a1 100755
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@@ -224,6 +224,7 @@ my $has_http2; # set if libcurl is built with HTTP2 support
my $has_crypto; # set if libcurl is built with cryptographic support
my $has_cares; # set if built with c-ares
my $has_threadedres;# set if built with threaded resolver
+my $has_psl; # set if libcurl is built with PSL support
# this version is decided by the particular nghttp2 library that is being used
my $h2cver = "h2c";
@@ -2474,6 +2475,10 @@ sub checksystem {
# Metalink enabled
$has_metalink=1;
}
+ if($feat =~ /PSL/i) {
+ # PSL enabled
+ $has_psl=1;
+ }
if($feat =~ /AsynchDNS/i) {
if(!$has_cares) {
# this means threaded resolver
@@ -2599,8 +2604,9 @@ sub checksystem {
logmsg sprintf("* HTTP Unix %s\n", $http_unix?"ON ":"OFF");
logmsg sprintf("* FTP IPv6 %8s", $ftp_ipv6?"ON ":"OFF");
logmsg sprintf(" Libtool lib: %s\n", $libtool?"ON ":"OFF");
- logmsg sprintf("* Shared build: %-3s", $has_shared);
+ logmsg sprintf("* PSL: %8s", $has_psl?"ON ":"OFF");
logmsg sprintf(" Resolver: %s\n", $resolver);
+
if($ssl_version) {
logmsg sprintf("* SSL library: %13s\n", $ssllib);
}
@@ -2981,6 +2987,11 @@ sub singletest {
next;
}
}
+ elsif($1 eq "PSL") {
+ if($has_psl) {
+ next;
+ }
+ }
elsif($1 eq "socks") {
next;
}
@@ -3117,6 +3128,11 @@ sub singletest {
next;
}
}
+ elsif($1 eq "PSL") {
+ if(!$has_psl) {
+ next;
+ }
+ }
else {
next;
}
--
2.6.0
--nextPart1567022.UHACgF4AF6
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQpMaXN0IGFkbWluOiBodHRwOi8vY29vbC5oYXh4LnNlL2xpc3QvbGlzdGluZm8v
Y3VybC1saWJyYXJ5CkV0aXF1ZXR0ZTogIGh0dHA6Ly9jdXJsLmhheHguc2UvbWFpbC9ldGlxdWV0
dGUuaHRtbA==
--nextPart1567022.UHACgF4AF6--
Received on 2001-09-17