Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Change #274106

Category wget
Changed by Acts1631 <acts1631kjvohnoyoudont@proton.me>
Changed at Sun 05 Jul 2026 18:20:07
Repository https://gitlab.com/gnuwget/wget.git
Project wget
Branch master
Revision b9c6ee8a17c82d0546d27d2c6851d9d144899e05

Comments

cookies.c: reject cookie instead of discarding jar entry on domain mismatch
When a Set-Cookie header specifies a domain attribute that fails
check_domain_match() against the responding host, cookie_handle_set_cookie()
set cookie->discard_requested = true but continued processing instead of
rejecting the cookie outright. Since discard_requested causes
discard_matching_cookie() to be invoked later using the attacker-supplied
(victim) domain, name, path and port, a malicious server could delete an
arbitrary cookie belonging to any other domain from wget's cookie jar,
simply by sending a Set-Cookie header naming that domain along with a
matching path/name/port.

Fix this by immediately jumping to the cleanup path (as already done for
the analogous path-mismatch case a few lines below) when the domain check
fails, so a cookie from an unauthorized domain never reaches the jar
discard/store logic.

* src/cookies.c (cookie_handle_set_cookie): Goto out.

Copyright-paperwork-exempt: Yes

Changed files