romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-18 15:25:55 +03:00
Code Issues Projects Releases Packages Wiki Activity
curl/tests
History
Dave Walker b9702f8c48
cookie: use origin scheme for secure context check 
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.

Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.

Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.

Verified by test 3401

Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415
Closes #22024
2026-06-15 22:30:14 +02:00
..
certs tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
cmake cmake: add CMake Config-based dependency detection 2026-03-21 18:52:31 +01:00
data cookie: use origin scheme for secure context check 2026-06-15 22:30:14 +02:00
http lib: transfer origin and proxy handling 2026-06-12 23:52:00 +02:00
libtest curl_formdata: fix to pass long where missing, document CURLFORM_NAMELENGTH 2026-06-15 16:57:21 +02:00
server servers: silence -Wunused-result with pragma 2026-06-15 22:04:39 +02:00
tunit build: enable -Wformat-signedness, fix issues found 2026-06-10 15:14:08 +02:00
unit cf-capsule: complete filter 2026-06-15 15:42:22 +02:00
.gitignore build: stop building and installing runtests.1 and testcurl.1 2026-04-28 09:07:27 +02:00
allversions.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
appveyor.pm perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
azure.pm perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
CMakeLists.txt cmake: add basic way to select pytests to run 2026-06-01 15:07:17 +02:00
config.in
configurehelp.pm.in
devtest.pl perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
dictserver.py tests: make whitespace between functions and classes consistent 2026-04-08 10:28:05 -07:00
directories.pm tidy-up: miscellaneous 2025-12-12 04:18:48 +01:00
ech_combos.py tidy-up: add space around operators, where missing 2026-05-28 10:12:00 +02:00
ech_tests.sh tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
ftpserver.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
getpart.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
globalconfig.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
http-server.pl tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
http2-server.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
http3-server.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
Makefile.am tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
memanalyze.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
memanalyzer.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
negtelnetserver.py tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
nghttpx.conf
pathhelp.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
processhelp.pm tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
requirements.txt GHA: bump actions and pips 2026-05-01 21:19:22 +02:00
rtspserver.pl tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
runner.pm tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
runtests.pl tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
secureserver.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
serverhelp.pm tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
servers.pm perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
smbserver.py tidy-up: miscellaneous 2026-06-11 19:48:07 +02:00
sshhelp.pm perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
sshserver.pl perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
test745.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test971.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1119.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1135.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1139.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1140.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1165.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1167.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1173.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1175.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1177.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1222.pl tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
test1275.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1276.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1477.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1486.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1488.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1544.pl tidy-up: add spaces around equal operators where missing 2026-06-11 19:52:01 +02:00
test1707.pl perl: harden external command invocations 2026-03-26 14:20:07 +01:00
testcurl.pl perl: switch from backticks to qx() 2026-06-14 14:25:02 +02:00
testutil.pm tidy-up: miscellaneous 2026-06-14 20:10:28 +02:00
tftpserver.pl tidy-up: miscellaneous 2026-06-01 22:33:57 +02:00
util.py tests: make whitespace between functions and classes consistent 2026-04-08 10:28:05 -07:00
valgrind.pm scripts: drop redundant double-quotes: "$var" -> $var (Perl) 2026-03-21 13:21:06 +01:00
valgrind.supp