Backported of: From 631f95b7013ba017692d9512093746af93b4e327 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 19 May 2022 12:12:04 +0200 Subject: [PATCH] cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 diff --git a/lib/cookie.c b/lib/cookie.c index e88678c..1d1bf9b 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -453,6 +453,10 @@ Curl_cookie_add(struct Curl_easy *data, (void)data; #endif + DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ + if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) + return NULL; + /* First, alloc and init a new struct for it */ co = calloc(1, sizeof(struct Cookie)); if(!co) @@ -771,7 +775,7 @@ Curl_cookie_add(struct Curl_easy *data, freecookie(co); return NULL; } - + data->req.setcookies++; } else { /* This line is NOT a HTTP header style line, we do offer support for @@ -1268,7 +1272,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) * ****************************************************************************/ -struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, +struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, + struct CookieInfo *c, const char *host, const char *path, bool secure) { @@ -1317,6 +1322,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, mainco = newco; matches++; + if(matches >= MAX_COOKIE_SEND_AMOUNT) { + infof(data, "Included max number of cookies (%u) in request!", + matches); + break; + } } else goto fail; diff --git a/lib/cookie.h b/lib/cookie.h index 066396f..200590e 100644 --- a/lib/cookie.h +++ b/lib/cookie.h @@ -80,10 +80,26 @@ struct CookieInfo { */ #define MAX_COOKIE_LINE 5000 -/* This is the maximum length of a cookie name or content we deal with: */ +/* Maximum length of an incoming cookie name or content we deal with. Longer + cookies are ignored. */ #define MAX_NAME 4096 #define MAX_NAME_TXT "4095" +/* Maximum size for an outgoing cookie line libcurl will use in an http + request. This is the default maximum length used in some versions of Apache + httpd. */ +#define MAX_COOKIE_HEADER_LEN 8190 + +/* Maximum number of cookies libcurl will send in a single request, even if + there might be more cookies that match. One reason to cap the number is to + keep the maximum HTTP request within the maximum allowed size. */ +#define MAX_COOKIE_SEND_AMOUNT 150 + +/* Maximum number of Set-Cookie: lines accepted in a single response. If more + such header lines are received, they are ignored. This value must be less + than 256 since an unsigned char is used to count. */ +#define MAX_SET_COOKIE_AMOUNT 50 + struct Curl_easy; /* * Add a cookie to the internal list of cookies. The domain and path arguments @@ -96,7 +112,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, const char *domain, const char *path, bool secure); -struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, +struct Cookie *Curl_cookie_getlist(struct Curl_easy *, + struct CookieInfo *, const char *, const char *, bool); void Curl_cookie_freelist(struct Cookie *cookies); void Curl_cookie_clearall(struct CookieInfo *cookies); diff --git a/lib/http.c b/lib/http.c index 7ccc5b5..3726c32 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1930,6 +1930,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) #if !defined(CURL_DISABLE_COOKIES) char *addcookies = NULL; #endif + bool linecap = FALSE; curl_off_t included_body = 0; const char *httpstring; struct dynbuf req; @@ -2610,7 +2611,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) if(data->cookies && data->state.cookie_engine) { Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); - co = Curl_cookie_getlist(data->cookies, + co = Curl_cookie_getlist(data, data->cookies, data->state.aptr.cookiehost? data->state.aptr.cookiehost:host, data->state.up.path, @@ -2628,6 +2629,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) if(result) break; } + if((Curl_dyn_len(&req) + strlen(co->name) + strlen(co->value) + 1) >= + MAX_COOKIE_HEADER_LEN) { + infof(data, "Restricted outgoing cookies due to header size, " + "'%s' not sent", co->name); + linecap = TRUE; + break; + } result = Curl_dyn_addf(&req, "%s%s=%s", count?"; ":"", co->name, co->value); if(result) @@ -2638,7 +2646,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) } Curl_cookie_freelist(store); } - if(addcookies && !result) { + if(addcookies && !result && !linecap) { if(!count) result = Curl_dyn_add(&req, "Cookie: "); if(!result) { diff --git a/lib/urldata.h b/lib/urldata.h index cbe6bf7..25d1445 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -664,6 +664,7 @@ struct SingleRequest { #ifndef CURL_DISABLE_DOH struct dohdata doh; /* DoH specific data for this request */ #endif + unsigned char setcookies; BIT(header); /* incoming data has HTTP header */ BIT(content_range); /* set TRUE if Content-Range: was found */ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding