[Python-checkins] cpython (merge 3.4 -> default): Lax cookie parsing in http.cookies could be a security issue when combined

antoine.pitrou python-checkins at python.org
Wed Sep 17 00:27:36 CEST 2014 

http://hg.python.org/cpython/rev/d3663a0f97ed
changeset:   92440:d3663a0f97ed
parent:      92437:5660c1bdc2b6
parent:      92439:60cab9d28525
user:        Antoine Pitrou <solipsis at pitrou.net>
date:        Wed Sep 17 00:27:26 2014 +0200
summary:
  Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.

files:
  Lib/http/cookies.py           |  3 ++-
  Lib/test/test_http_cookies.py |  9 +++++++++
  Misc/ACKS                     |  1 +
  Misc/NEWS                     |  4 ++++
  4 files changed, 16 insertions(+), 1 deletions(-)


diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -431,6 +431,7 @@
 _LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(r"""
     (?x)                           # This is a verbose pattern
+    \s*                            # Optional whitespace at start of cookie
     (?P<key>                       # Start of group 'key'
     """ + _LegalCharsPatt + r"""+?   # Any word of at least one letter
     )                              # End of group 'key'
@@ -534,7 +535,7 @@
 
         while 0 <= i < n:
             # Start looking for a cookie
-            match = patt.search(str, i)
+            match = patt.match(str, i)
             if not match:
                 # No more cookies
                 break
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -179,6 +179,15 @@
         </script>
         """)
 
+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = cookies.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 class MorselTests(unittest.TestCase):
     """Tests for the Morsel object."""
 
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -142,6 +142,7 @@
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -132,6 +132,10 @@
 Library
 -------
 
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
+
 - Issue #20537: logging methods now accept an exception instance as well as a
   Boolean value or exception tuple. Thanks to Yury Selivanov for the patch.
 

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list