Change #274106
| Category | wget |
| Changed by | Acts1631 <acts1631kjv@proton.me> |
| Changed at | Sun 05 Jul 2026 18:20:07 |
| Repository | https://gitlab.com/gnuwget/wget.git |
| Project | wget |
| Branch | master |
| Revision | b9c6ee8a17c82d0546d27d2c6851d9d144899e05 |
Comments
cookies.c: reject cookie instead of discarding jar entry on domain mismatch When a Set-Cookie header specifies a domain attribute that fails check_domain_match() against the responding host, cookie_handle_set_cookie() set cookie->discard_requested = true but continued processing instead of rejecting the cookie outright. Since discard_requested causes discard_matching_cookie() to be invoked later using the attacker-supplied (victim) domain, name, path and port, a malicious server could delete an arbitrary cookie belonging to any other domain from wget's cookie jar, simply by sending a Set-Cookie header naming that domain along with a matching path/name/port. Fix this by immediately jumping to the cleanup path (as already done for the analogous path-mismatch case a few lines below) when the domain check fails, so a cookie from an unauthorized domain never reaches the jar discard/store logic. * src/cookies.c (cookie_handle_set_cookie): Goto out. Copyright-paperwork-exempt: Yes
Changed files
- src/cookies.c