Backport: reject set-cookie domain that doesn't match the request host

hyperxpro · hyperxpro · commit a08bb95cb092 · 2026-06-15T17:32:18.000Z
diff --git a/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java b/client/src/main/java/org/asynchttpclient/cookie/ThreadSafeCookieStore.java
@@ -154,6 +154,11 @@ private boolean hasCookieExpired(Cookie cookie, long whenCreated) {
       return false;
   }
 
+  // rfc6265#section-5.1.3
+  private boolean domainsMatch(String cookieDomain, String requestDomain) {
+    return requestDomain.equals(cookieDomain) || requestDomain.endsWith('.' + cookieDomain);
+  }
+
   // rfc6265#section-5.1.4
   private boolean pathsMatch(String cookiePath, String requestPath) {
     return Objects.equals(cookiePath, requestPath) ||
@@ -164,6 +169,14 @@ private void add(String requestDomain, String requestPath, Cookie cookie) {
     AbstractMap.SimpleEntry<String, Boolean> pair = cookieDomain(cookie.domain(), requestDomain);
     String keyDomain = pair.getKey();
     boolean hostOnly = pair.getValue();
+
+    // rfc6265#section-5.3 step 6: ignore a cookie whose Domain attribute is not
+    // domain-matched by the request host, otherwise a host can plant cookies for
+    // unrelated domains (cookie tossing).
+    if (!hostOnly && !domainsMatch(keyDomain, requestDomain)) {
+      return;
+    }
+
     String keyPath = cookiePath(cookie.path(), requestPath);
     CookieKey key = new CookieKey(cookie.name().toLowerCase(), keyPath);
 
diff --git a/client/src/test/java/org/asynchttpclient/CookieStoreTest.java b/client/src/test/java/org/asynchttpclient/CookieStoreTest.java
@@ -55,6 +55,7 @@ public void tearDownGlobal() {
   public void runAllSequentiallyBecauseNotThreadSafe() throws Exception {
     addCookieWithEmptyPath();
     dontReturnCookieForAnotherDomain();
+    dontStoreCookieForUnrelatedDomainAttribute();
     returnCookieWhenItWasSetOnSamePath();
     returnCookieWhenItWasSetOnParentPath();
     dontReturnCookieWhenDomainMatchesButPathIsDifferent();
@@ -93,6 +94,14 @@ private void addCookieWithEmptyPath() {
     assertTrue(store.get(uri).size() > 0);
   }
 
+  // rfc6265#section-5.3 step 6: a host must not be able to set a cookie for an unrelated domain
+  private void dontStoreCookieForUnrelatedDomainAttribute() {
+    CookieStore store = new ThreadSafeCookieStore();
+    store.add(Uri.create("http://www.evil.com/"), ClientCookieDecoder.LAX.decode("SID=attacker; Domain=victim.com"));
+    assertTrue(store.get(Uri.create("https://victim.com/account")).isEmpty());
+    assertTrue(store.getAll().isEmpty());
+  }
+
   private void dontReturnCookieForAnotherDomain() {
     CookieStore store = new ThreadSafeCookieStore();
     store.add(Uri.create("http://www.foo.com"), ClientCookieDecoder.LAX.decode("ALPHA=VALUE1; path="));
