[Python-checkins] cpython (3.2): Lax cookie parsing in http.cookies could be a security issue when combined
georg.brandl
python-checkins at python.org
Tue Sep 30 15:00:17 CEST 2014
https://hg.python.org/cpython/rev/5cfe74a9bfa4
changeset: 92667:5cfe74a9bfa4
branch: 3.2
user: Antoine Pitrou <solipsis at pitrou.net>
date: Wed Sep 17 00:23:55 2014 +0200
summary:
Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
files:
Lib/http/cookies.py | 3 ++-
Lib/test/test_http_cookies.py | 9 +++++++++
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
4 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -432,6 +432,7 @@
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_CookiePattern = re.compile(r"""
(?x) # This is a verbose pattern
+ \s* # Optional whitespace at start of cookie
(?P<key> # Start of group 'key'
""" + _LegalCharsPatt + r"""+? # Any word of at least one letter
) # End of group 'key'
@@ -532,7 +533,7 @@
while 0 <= i < n:
# Start looking for a cookie
- match = patt.search(str, i)
+ match = patt.match(str, i)
if not match:
# No more cookies
break
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -132,6 +132,15 @@
</script>
""")
+ def test_invalid_cookies(self):
+ # Accepting these could be a security issue
+ C = cookies.SimpleCookie()
+ for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+ C.load(s)
+ self.assertEqual(dict(C), {})
+ self.assertEqual(C.output(), '')
+
+
class MorselTests(unittest.TestCase):
"""Tests for the Morsel object."""
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -117,6 +117,7 @@
Pablo Bleyer
Erik van Blokland
Eric Blossom
+Sergey Bobrov
Finn Bock
Paul Boddie
Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -37,6 +37,10 @@
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
+- Lax cookie parsing in http.cookies could be a security issue when combined
+ with non-standard cookie handling in some Web browsers. Reported by
+ Sergey Bobrov.
+
- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
before checking for a CGI script at that path.
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list