From 71e17cb15bdddf1a2c8e209446b4e353be246ddd Mon Sep 17 00:00:00 2001
From: frosty <gabriel@bwaaa.monster>
Date: Tue, 10 Mar 2026 01:30:21 -0400
Subject: fix: path traversal and cookie buffer issues

---
 src/http.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

(limited to 'src/http.c')

diff --git a/src/http.c b/src/http.c
index 349f66f..3f6294d 100644
--- a/src/http.c
+++ b/src/http.c
@@ -19,27 +19,32 @@ static void build_cookie_headers(char *cookie_headers_buffer,
              cookies_to_set[i].value);
 
     if (strlen(cookies_to_set[i].expires) > 0) {
-      strcat(single_cookie_header, "; Expires=");
-      strcat(single_cookie_header, cookies_to_set[i].expires);
+      strncat(single_cookie_header, "; Expires=", sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
+      strncat(single_cookie_header, cookies_to_set[i].expires, sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
     }
 
     if (strlen(cookies_to_set[i].path) > 0) {
-      strcat(single_cookie_header, "; Path=");
-      strcat(single_cookie_header, cookies_to_set[i].path);
+      strncat(single_cookie_header, "; Path=", sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
+      strncat(single_cookie_header, cookies_to_set[i].path, sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
     }
 
     if (cookies_to_set[i].http_only) {
-      strcat(single_cookie_header, "; HttpOnly");
+      strncat(single_cookie_header, "; HttpOnly", sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
     }
 
     if (cookies_to_set[i].secure) {
-      strcat(single_cookie_header, "; Secure");
+      strncat(single_cookie_header, "; Secure", sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
     }
 
-    strcat(single_cookie_header, "\r\n");
+    strncat(single_cookie_header, "\r\n", sizeof(single_cookie_header) - strlen(single_cookie_header) - 1);
 
-    strncat(cookie_headers_buffer, single_cookie_header,
-            buffer_size - strlen(cookie_headers_buffer) - 1);
+    if (strlen(cookie_headers_buffer) + strlen(single_cookie_header) < buffer_size) {
+      strncat(cookie_headers_buffer, single_cookie_header,
+              buffer_size - strlen(cookie_headers_buffer) - 1);
+    } else {
+      fprintf(stderr, "[WARNING] build_cookie_headers: Cookie headers buffer full, truncating\n");
+      break;
+    }
   }
 }
 
-- 
cgit v1.2.3