urldata: move cookiehost to struct SingleRequest#21312
Closed
bagder wants to merge 4 commits into
Closed
Conversation
To make it scoped for the single request appropriately. Reported-by: Muhamad Arga Reksapati Verify with libtest 2504: a custom Host *disabled* on reused handle
There was a problem hiding this comment.
Pull request overview
This PR addresses a cookie/Host header scoping issue by moving cookiehost from UrlState to SingleRequest, and adds a regression test to ensure a custom Host: value does not persist across reused easy handles.
Changes:
- Move
cookiehoststorage tostruct SingleRequestand update HTTP cookie/Set-Cookie logic to use it. - Update cleanup/reset paths to free request-scoped
cookiehost. - Add libtest + test case
2504to validate behavior when reusing a handle after removing a customHost:header.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
lib/urldata.h |
Removes cookiehost from UrlState allocated pointer set. |
lib/request.h |
Adds cookiehost to struct SingleRequest. |
lib/request.c |
Frees req->cookiehost during hard reset. |
lib/http.c |
Stores/uses data->req.cookiehost for cookie host decisions. |
lib/url.c |
Updates easy-handle close cleanup to free data->req.cookiehost. |
tests/libtest/lib2504.c |
New libtest exercising handle reuse with/without custom Host:. |
tests/libtest/Makefile.inc |
Registers lib2504.c in the libtest build. |
tests/data/test2504 |
New test definition verifying request headers across two performs. |
tests/data/Makefile.am |
Registers test2504 in the test suite. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cb5b2b8 to
04bffc4
Compare
icanhasmath
pushed a commit
to ActiveState/curl
that referenced
this pull request
May 29, 2026
To make it scoped for the single request appropriately. Reported-by: Muhamad Arga Reksapati Closes curl#21312 (cherry picked from commit 3a19987) Backport to 8.17.0 to address CVE-2026-6276 (a custom Host: header set on a first request was stored in the persistent state.aptr.cookiehost; a second request on the same easy handle without the custom Host: header would then reuse that stale value and send cookies meant for the first host). The fix moves cookiehost from the persistent struct UrlState aptr to the per-request struct SingleRequest (data->req), which is reset for each request, and clears it at the top of http_set_aptr_host() before it may be set again. Adapted to 8.17.0: curlx_safefree()/curlx_free() replaced with Curl_safefree()/free(); the cookiehost free was added to Curl_req_hard_reset() (8.17.0 has no req->proxyuserpwd anchor). Test 2504 omitted (newer libtest infrastructure).
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
To make it scoped for the single request appropriately. Reported-by: Muhamad Arga Reksapati Verify with libtest 2504: a custom Host *disabled* on reused handle Closes curl#21312
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To make it scoped for the single request appropriately.
Reported-by: Muhamad Arga Reksapati
Verify with libtest 2504: a custom Host disabled on reused handle