From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Aug 2025 20:23:05 +0200
Subject: [PATCH] cookie: don't treat the leading slash as trailing

If there is only a leading slash in the path, keep that. Also add an
assert to make sure the path is never blank.

Reported-by: Google Big Sleep
Closes #18266

CVE: CVE-2025-9086
Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 lib/cookie.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/cookie.c b/lib/cookie.c
index e287458..ac7d3de 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -312,7 +312,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
   }

   /* convert /hoge/ to /hoge */
-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
     new_path[len - 1] = 0x0;
   }

@@ -1078,7 +1078,7 @@ Curl_cookie_add(struct Curl_easy *data,
         if(clist->spath && co->spath) {
           if(clist->secure && !co->secure && !secure) {
             size_t cllen;
-            const char *sep;
+            const char *sep = NULL;

             /*
              * A non-secure cookie may not overlay an existing secure cookie.
@@ -1087,8 +1087,9 @@ Curl_cookie_add(struct Curl_easy *data,
              * "/loginhelper" is ok.
              */

-            sep = strchr(clist->spath + 1, '/');
-
+            DEBUGASSERT(clist->spath[0]);
+            if(clist->spath[0])
+              sep = strchr(clist->spath + 1, '/');
             if(sep)
               cllen = sep - clist->spath;
             else
--
2.40.0