Hello libwww-perl community, I have found and patched two small security bugs in the current version of HTTP::Cookies, v1.39. I'm writing here because the README suggested reporting bugs to this list.
Fix 1: Cross-host cookie leakage could occur when using IP addresses as the domain-name component of URLs. If a cookie hostname is an IP address, the add_cookie_header() method will search for possible cookies to be sent from the cookie "jar" by ascending through each octet of the IP address as though it were a domain name. For example, cookies for host 10.0.10.10 would also be sent to host 10.1.10.10. This was solved by ensuring that a numeric domain name will not be ascended; also, a suitable LWP::Debug message is printed when this occurs. Fix 2: The add_cookie_header() method strips a domain name all the way to its top-level domain (TLD) when searching for domain name matches in the cookie jar. Searching beyond the second-level domain would cause, for example, stored cookies with hostname .com to be sent to all hosts within that TLD. This was solved by ensuring each candidate domain name contains a dot surrounded on both sides by another character. For example, this would allow "example.com" and ".example.com", but disallow ".com", from being looked for within the cookie jar. Unqualified domain names (e.g., "example") are allowed due to the existing code appending ".local" to such names before the jar search begins. I have attached a small patch file for the benefit of the Perl community, which the maintainer of HTTP::Cookies may, if he is so inclined, consider including in its next release. Where needed, this patch should be attributed to "Ted Behling of Hargray Communications". Ted Behling ISP Systems Analyst Hargray Communications [EMAIL PROTECTED]
HTTP_Cookies_1.39-security_fixes.diff
Description: HTTP_Cookies_1.39-security_fixes.diff
