mirror of
https://github.com/curl/curl.git
synced 2026-06-18 18:55:39 +03:00
b9702f8c48
`Curl_secure_context()` checked `conn->scheme` to determine if Secure cookies may be sent. Since73daec6, `conn->scheme` is set to the proxy's scheme when using an HTTPS forwarding proxy, causing the function to return TRUE for HTTP origins. This leaked Secure cookies over the plaintext connection between proxy and origin. Use `data->state.origin->scheme` instead, which always reflects the origin's scheme regardless of proxy configuration. Not an approved vulnerability because the regression was introduced after the last release and is not present in any released version. Verified by test 3401 Follow-up to73daec6620Reported-by: daviey on hackerone URL: https://hackerone.com/reports/3803415 Closes #22024
55 lines
907 B
XML
55 lines
907 B
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<testcase>
|
|
<info>
|
|
<keywords>
|
|
HTTP
|
|
HTTPS proxy
|
|
cookies
|
|
Secure
|
|
</keywords>
|
|
</info>
|
|
|
|
# Server-side
|
|
<reply>
|
|
<data crlf="headers">
|
|
HTTP/1.1 200 OK
|
|
Content-Length: 4
|
|
|
|
foo
|
|
</data>
|
|
</reply>
|
|
|
|
# Client-side
|
|
<client>
|
|
<server>
|
|
http
|
|
https-proxy
|
|
</server>
|
|
<features>
|
|
HTTPS-proxy
|
|
cookies
|
|
</features>
|
|
<name>
|
|
HTTP via HTTPS proxy does not send Secure cookies
|
|
</name>
|
|
<command>
|
|
-x https://%HOSTIP:%HTTPSPROXYPORT --proxy-insecure -b %LOGDIR/jar%TESTNUMBER.txt http://test.example/%TESTNUMBER
|
|
</command>
|
|
<file name="%LOGDIR/jar%TESTNUMBER.txt">
|
|
# Netscape HTTP Cookie File
|
|
test.example FALSE / TRUE 9999999999 session secret
|
|
</file>
|
|
</client>
|
|
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<proxy crlf="headers">
|
|
GET http://test.example/%TESTNUMBER HTTP/1.1
|
|
Host: test.example
|
|
User-Agent: curl/%VERSION
|
|
Accept: */*
|
|
Proxy-Connection: Keep-Alive
|
|
|
|
</proxy>
|
|
</verify>
|
|
</testcase>
|