From 8e8bdd36048c146fe843d8948a912fbd398d1c5d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 1 Apr 2026 08:09:47 +0200
Subject: [PATCH] cookie: fix rejection when tabs in value

A previous refactor changed the TAB check so that the octet could be
accepted in the 'path', which would cause an invalid line in the saved
cookie file so not possible to read the cookie back. Not terrible
because the path cannot contain a raw tab anyway so it would never match
anyway.

Add test 1685 to verify

Reported-by: Izan on hackerone

Closes #21185
---
 lib/cookie.c           | 14 +++++------
 tests/data/Makefile.am |  2 +-
 tests/data/test1685    | 57 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 8 deletions(-)
 create mode 100644 tests/data/test1685

diff --git a/lib/cookie.c b/lib/cookie.c
index 92f7935cca..1516d38f5b 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -461,6 +461,13 @@ parse_cookie_header(struct Curl_easy *data,
         sep = TRUE; /* a '=' was used */
         if(!curlx_str_cspn(&ptr, &val, ";\r\n"))
           curlx_str_trimblanks(&val);
+
+        /* Reject cookies with a TAB inside the value */
+        if(curlx_strlen(&val) &&
+           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
+          infof(data, "cookie contains TAB, dropping");
+          return CURLE_OK;
+        }
       }
       else
         curlx_str_init(&val);
@@ -489,13 +496,6 @@ parse_cookie_header(struct Curl_easy *data,
           return CURLE_OK;
         }
 
-        /* Reject cookies with a TAB inside the value */
-        if(curlx_strlen(&val) &&
-           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
-          infof(data, "cookie contains TAB, dropping");
-          return CURLE_OK;
-        }
-
         /* Check if we have a reserved prefix set. */
         if(!strncmp("__Secure-", curlx_str(&name), 9))
           co->prefix_secure = TRUE;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index c080c32133..78e3f26585 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -225,7 +225,7 @@ test1666 test1667 test1668 \
 \
 test1670 test1671 test1672 test1673 \
 \
-test1680 test1681 test1682 test1683 test1684 \
+test1680 test1681 test1682 test1683 test1684 test1685 \
 \
 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 \
 test1708 test1709 test1710 test1711 test1712 test1713 test1714 test1715 \
diff --git a/tests/data/test1685 b/tests/data/test1685
new file mode 100644
index 0000000000..b98dc20643
--- /dev/null
+++ b/tests/data/test1685
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers">
+HTTP/1.0 200 OK swsclose
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Type: text/html
+Set-Cookie: name=content; path=/we%TABwant
+Set-Cookie: accept=this; path=/only/this
+
+boo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+HTTP, reject cookie with tab in path
+</name>
+<command>
+http://%HOSTIP:%HTTPPORT/ -c %LOGDIR/jar%TESTNUMBER.txt
+</command>
+
+<features>
+cookies
+</features>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET / HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<file name="%LOGDIR/jar%TESTNUMBER.txt" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+127.0.0.1%TABFALSE%TAB/only/this%TABFALSE%TAB0%TABaccept%TABthis
+</file>
+</verify>
+</testcase>