From 4a86af99401fb48d58a0a550117e6516ca5a76bd Mon Sep 17 00:00:00 2001
From: alhudz <al.hudz.k@gmail.com>
Date: Wed, 17 Jun 2026 20:15:11 +0530
Subject: [PATCH] cookie: reject control octets in file-loaded cookies

Verified by test 2311

Closes #22070
---
 lib/cookie.c           |  8 ++++++
 tests/data/Makefile.am |  2 +-
 tests/data/test2311    | 56 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/test2311

diff --git a/lib/cookie.c b/lib/cookie.c
index e6a1477058..99f2910632 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -786,6 +786,14 @@ static CURLcode parse_netscape(struct Cookie *co,
     /* we did not find the sufficient number of fields */
     return CURLE_OK;
 
+  /* Reject control octets in the name or value, matching the filtering done
+     for cookies set over HTTP. A cookie loaded from a file is later sent in
+     request headers, so the same bytes that make a server reject a request
+     must not slip in through the file. */
+  if(invalid_octets(co->name, strlen(co->name)) ||
+     invalid_octets(co->value, strlen(co->value)))
+    return CURLE_OK;
+
   *okay = TRUE;
   return CURLE_OK;
 }
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index a1d75ab305..f537ba181b 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -259,7 +259,7 @@ test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
 test2208 \
 \
 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 \
-test2309 test2310 \
+test2309 test2310 test2311 \
 \
 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 \
 test2408 test2409 test2410 test2411 \
diff --git a/tests/data/test2311 b/tests/data/test2311
new file mode 100644
index 0000000000..92453a75e3
--- /dev/null
+++ b/tests/data/test2311
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP proxy
+cookies
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers">
+HTTP/1.1 200 OK
+Server: test-server/fake
+Content-Length: 21
+
+This server says moo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+Cookie from file with control octet in value is rejected
+</name>
+<command>
+http://example.fake/%TESTNUMBER -b %LOGDIR/injar%TESTNUMBER -x %HOSTIP:%HTTPPORT
+</command>
+<file name="%LOGDIR/injar%TESTNUMBER">
+example.fake	FALSE	/	FALSE	0	clean	good
+example.fake	FALSE	/	FALSE	0	bad	%hex[ba%07d]hex%
+</file>
+<features>
+cookies
+proxy
+</features>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET http://example.fake/%TESTNUMBER HTTP/1.1
+Host: example.fake
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+Cookie: clean=good
+
+</protocol>
+</verify>
+</testcase>