combined with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_CookiePattern = re.compile(
r"(?x)" # This is a Verbose pattern
+ r"\s*" # Optional whitespace at start of cookie
r"(?P<key>" # Start of group 'key'
""+ _LegalCharsPatt +"+?" # Any word of at least one letter, nongreedy
r")" # End of group 'key'
while 0 <= i < n:
# Start looking for a cookie
- match = patt.search(str, i)
+ match = patt.match(str, i)
if not match: break # No more cookies
K,V = match.group("key"), match.group("val")
self.assertEqual(C['Customer']['version'], '1')
self.assertEqual(C['Customer']['path'], '/acme')
+ def test_invalid_cookies(self):
+ # Accepting these could be a security issue
+ C = Cookie.SimpleCookie()
+ for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+ C.load(s)
+ self.assertEqual(dict(C), {})
+ self.assertEqual(C.output(), '')
+
+
def test_main():
run_unittest(CookieTests)
if Cookie.__doc__ is not None:
Pablo Bleyer
Erik van Blokland
Eric Blossom
+Sergey Bobrov
Finn Bock
Paul Boddie
Matthew Boedicker
Library
-------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+ with non-standard cookie handling in some Web browsers. Reported by
+ Sergey Bobrov.
- Issue #21147: sqlite3 now raises an exception if the request contains a null
character instead of truncate it. Based on patch by Victor Stinner.
projects / python / commitdiff