cookie: fix rejection when tabs in value

A previous refactor changed the TAB check so that the octet could be accepted in the 'path', which would cause an invalid line in the saved cookie file so not possible to read the cookie back. Not terrible because the path cannot contain a raw tab anyway so it would never match anyway. Add test 1685 to verify Reported-by: Izan on hackerone Closes #21185
2026-04-11 12:01:42 +08:00 · 2026-04-01 08:09:47 +02:00 · 2026-04-01 08:09:47 +02:00 · 8e8bdd3604
commit 8e8bdd3604
parent 46d107d0e7
3 changed files with 65 additions and 8 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -461,6 +461,13 @@ parse_cookie_header(struct Curl_easy *data,
        sep = TRUE; /* a '=' was used */
        if(!curlx_str_cspn(&ptr, &val, ";\r\n"))
          curlx_str_trimblanks(&val);
+
+        /* Reject cookies with a TAB inside the value */
+        if(curlx_strlen(&val) &&
+           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
+          infof(data, "cookie contains TAB, dropping");
+          return CURLE_OK;
+        }
      }
      else
        curlx_str_init(&val);
@ -489,13 +496,6 @@ parse_cookie_header(struct Curl_easy *data,
          return CURLE_OK;
        }

-        /* Reject cookies with a TAB inside the value */
-        if(curlx_strlen(&val) &&
-           memchr(curlx_str(&val), '\t', curlx_strlen(&val))) {
-          infof(data, "cookie contains TAB, dropping");
-          return CURLE_OK;
-        }
-
        /* Check if we have a reserved prefix set. */
        if(!strncmp("__Secure-", curlx_str(&name), 9))
          co->prefix_secure = TRUE;
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -225,7 +225,7 @@ test1666 test1667 test1668 \
 \
 test1670 test1671 test1672 test1673 \
 \
-test1680 test1681 test1682 test1683 test1684 \
+test1680 test1681 test1682 test1683 test1684 test1685 \
 \
 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 \
 test1708 test1709 test1710 test1711 test1712 test1713 test1714 test1715 \
--- a/tests/data/test1685
+++ b/tests/data/test1685
@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data crlf="headers">
+HTTP/1.0 200 OK swsclose
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Type: text/html
+Set-Cookie: name=content; path=/we%TABwant
+Set-Cookie: accept=this; path=/only/this
+
+boo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+HTTP, reject cookie with tab in path
+</name>
+<command>
+http://%HOSTIP:%HTTPPORT/ -c %LOGDIR/jar%TESTNUMBER.txt
+</command>
+
+<features>
+cookies
+</features>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET / HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<file name="%LOGDIR/jar%TESTNUMBER.txt" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+127.0.0.1%TABFALSE%TAB/only/this%TABFALSE%TAB0%TABaccept%TABthis
+</file>
+</verify>
+</testcase>