Commit 4215b8a2 authored by Mathieu Bridon's avatar Mathieu Bridon Committed by Michael Catanzaro

libsoup: Fix CVE-2018-12910

libsoup#3
parent a9810343
From db2b0d5809d5f8226d47312b40992cadbcde439f Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@igalia.com>
Date: Sun, 24 Jun 2018 19:46:19 -0500
Subject: [PATCH] cookie-jar: bail if hostname is an empty string
There are several other ways to fix the problem with this function, but
skipping over all of the code is probably the simplest.
Fixes #3
---
libsoup/soup-cookie-jar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
index 2369c8a..b2b7890 100644
--- a/libsoup/soup-cookie-jar.c
+++ b/libsoup/soup-cookie-jar.c
@@ -307,7 +307,7 @@ get_cookies (SoupCookieJar *jar, SoupURI *uri, gboolean for_http, gboolean copy_
priv = soup_cookie_jar_get_instance_private (jar);
- if (!uri->host)
+ if (!uri->host || !uri->host[0])
return NULL;
/* The logic here is a little weird, but the plan is that if
--
2.17.1
......@@ -144,6 +144,10 @@
"type": "archive",
"url": "https://download.gnome.org/sources/libsoup/2.60/libsoup-2.60.3.tar.xz",
"sha256": "1b0dc762f23abe4e0d29b77370e539fd35f31d8e8e0318d6ddccff395be68a22"
},
{
"type": "patch",
"path": "0001-cookie-jar-bail-if-hostname-is-an-empty-string.patch"
}
]
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment