From 9e1a427d2f047439d0320defe1593e6352595788 Mon Sep 17 00:00:00 2001
From: Alynx Zhou <alynx.zhou@gmail.com>
Date: Sat, 11 Oct 2025 15:52:47 +0800
Subject: [PATCH] cookies: Avoid expires attribute if date is invalid

According to CVE-2025-11021, we may get invalid on processing date
string with timezone offset, this commit will ignore it.

Closes #459
---
 libsoup/cookies/soup-cookie.c | 9 +++++----
 libsoup/soup-date-utils.c     | 3 +++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
index ba949239..df446e40 100644
--- a/libsoup/cookies/soup-cookie.c
+++ b/libsoup/cookies/soup-cookie.c
@@ -758,12 +758,13 @@ serialize_cookie (SoupCookie *cookie, GString *header, gboolean set_cookie)
 
 	if (cookie->expires) {
 		char *timestamp;
-
-		g_string_append (header, "; expires=");
 		timestamp = soup_date_time_to_string (cookie->expires,
 						      SOUP_DATE_COOKIE);
-		g_string_append (header, timestamp);
-		g_free (timestamp);
+                if (timestamp) {
+                        g_string_append (header, "; expires=");
+                        g_string_append (header, timestamp);
+                        g_free (timestamp);
+                }
 	}
 	if (cookie->path) {
 		g_string_append (header, "; path=");
diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
index 73f80ab6..71160e73 100644
--- a/libsoup/soup-date-utils.c
+++ b/libsoup/soup-date-utils.c
@@ -95,6 +95,9 @@ soup_date_time_to_string (GDateTime      *date,
                 char *date_format;
                 char *formatted_date;
 
+                if (!utcdate)
+                        return NULL;
+
                 // We insert days/months ourselves to avoid locale specific formatting
                 if (format == SOUP_DATE_HTTP) {
 			/* "Sun, 06 Nov 1994 08:49:37 GMT" */
-- 
GitLab

From 51665d6b87c6a0084d5acb7aeeefc591c66dc2cd Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 15 Oct 2025 14:38:28 -0500
Subject: [PATCH 1/2] server: null-check soup_date_time_to_string()

Since 9e1a427d2f047439d0320defe1593e6352595788 this function can now
fail.
---
 libsoup/server/soup-server.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libsoup/server/soup-server.c b/libsoup/server/soup-server.c
index ba2f2b0b..6b5ab21e 100644
--- a/libsoup/server/soup-server.c
+++ b/libsoup/server/soup-server.c
@@ -852,6 +852,11 @@ got_headers (SoupServer        *server,
 
 	date = g_date_time_new_now_utc ();
 	date_string = soup_date_time_to_string (date, SOUP_DATE_HTTP);
+	if (!date_string) {
+		g_date_time_unref (date);
+		return;
+	}
+
 	soup_message_headers_replace_common (headers, SOUP_HEADER_DATE, date_string);
 	g_free (date_string);
 	g_date_time_unref (date);
-- 
GitLab


From cc1d4389ffd1b70f7eaee3cecfa66664aff2a5ef Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 15 Oct 2025 16:56:46 -0500
Subject: [PATCH 2/2] cookies-test: add test for invalid timezone

Note this test does NOT currently fail because it was already previously
fixed by 8988379984e33dcc7d3aa58551db13e48755959f.
---
 tests/cookies-test.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/cookies-test.c b/tests/cookies-test.c
index 18c9b60d..27cf6d9b 100644
--- a/tests/cookies-test.c
+++ b/tests/cookies-test.c
@@ -470,6 +470,16 @@ do_cookies_parsing_int32_overflow (void)
 	soup_cookie_free (cookie);
 }
 
+static void
+do_cookies_parsing_invalid_timezone (void)
+{
+	SoupCookie *cookie = soup_cookie_parse ("NAME=VALUE;expires=Mon, 31 Dec 9999 23:59:59 -1000", NULL);
+	g_test_bug ("https://gitlab.gnome.org/GNOME/libsoup/-/issues/459");
+	g_assert_nonnull (cookie);
+	g_assert_null (soup_cookie_get_expires (cookie));
+	soup_cookie_free (cookie);
+}
+
 static void
 do_cookies_equal_nullpath (void)
 {
@@ -729,6 +739,7 @@ main (int argc, char **argv)
 	g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
 	g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
 	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+	g_test_add_func ("/cookies/parsing/invalid-timezone", do_cookies_parsing_invalid_timezone);
 	g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
 	g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
         g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
-- 
GitLab