openGauss-third_party/dependency/libcurl/CVE-2025-9086.patch-代码预览-openGauss-third_party:基于开源生态的数据库依赖编译项目 - AtomGit

hw_hbjfix CVE-2025-9086

3b2261be创建于 2025年9月16日历史提交

diff -Naur a/lib/cookie.c b/lib/cookie.c
--- a/lib/cookie.c	2025-09-16 19:32:48.543452610 +0800
+++ b/lib/cookie.c	2025-09-16 19:44:28.944036533 +0800
@@ -312,8 +312,9 @@
     return new_path;
   }
 
+  /* remove trailing slash when path is non-empty */
   /* convert /hoge/ to /hoge */
-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
     new_path[len - 1] = 0x0;
   }
 
@@ -1075,7 +1076,7 @@
         if(clist->spath && co->spath) {
           if(clist->secure && !co->secure && !secure) {
             size_t cllen;
-            const char *sep;
+            const char *sep = NULL;
 
             /*
              * A non-secure cookie may not overlay an existing secure cookie.
@@ -1084,7 +1085,9 @@
              * "/loginhelper" is ok.
              */
 
-            sep = strchr(clist->spath + 1, '/');
+	    DEBUGASSERT(clist->spath[0]);
+	    if(clist->spath[0])
+              sep = strchr(clist->spath + 1, '/');
 
             if(sep)
               cllen = sep - clist->spath;