Change #271226
| Category | curl |
| Changed by | Dave Walker <dave@daviey.com> |
| Changed at | Mon 15 Jun 2026 22:30:14 |
| Repository | https://github.com/curl/curl.git |
| Project | curl |
| Branch | master |
| Revision | b9702f8c487135695ee07a69a24d85e4f7eba40e |
Comments
cookie: use origin scheme for secure context check `Curl_secure_context()` checked `conn->scheme` to determine if Secure cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's scheme when using an HTTPS forwarding proxy, causing the function to return TRUE for HTTP origins. This leaked Secure cookies over the plaintext connection between proxy and origin. Use `data->state.origin->scheme` instead, which always reflects the origin's scheme regardless of proxy configuration. Not an approved vulnerability because the regression was introduced after the last release and is not present in any released version. Verified by test 3401 Follow-up to 73daec6620bf9983df89e8df3660bfa3b8fd501d Reported-by: daviey on hackerone URL: https://hackerone.com/reports/3803415 Closes #22024
Changed files
- lib/cookie.c
- lib/cookie.h
- lib/http.c
- tests/data/Makefile.am
- tests/data/test3401