From: Antoine Pitrou Date: Tue, 16 Sep 2014 22:23:55 +0000 (+0200) Subject: Lax cookie parsing in http.cookies could be a security issue when combined X-Git-Tag: v3.3.6rc1~10 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7d0b8f95e7c6cc70c1a636312099773376337d14;p=python Lax cookie parsing in http.cookies could be a security issue when combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov. --- diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index 24da5f490c..556d101fb0 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -431,6 +431,7 @@ class Morsel(dict): _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _CookiePattern = re.compile(r""" (?x) # This is a verbose pattern + \s* # Optional whitespace at start of cookie (?P # Start of group 'key' """ + _LegalCharsPatt + r"""+? # Any word of at least one letter ) # End of group 'key' @@ -534,7 +535,7 @@ class BaseCookie(dict): while 0 <= i < n: # Start looking for a cookie - match = patt.search(str, i) + match = patt.match(str, i) if not match: # No more cookies break diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index 1cfbe742e4..76e5e9c4da 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase): """) + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = cookies.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + class MorselTests(unittest.TestCase): """Tests for the Morsel object.""" diff --git a/Misc/ACKS b/Misc/ACKS index eeefc8144a..d1ebba7650 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -131,6 +131,7 @@ Martin Bless Pablo Bleyer Erik van Blokland Eric Blossom +Sergey Bobrov Finn Bock Paul Boddie Matthew Boedicker diff --git a/Misc/NEWS b/Misc/NEWS index 1b72607b55..1f389f8714 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,10 @@ Core and Builtins Library ------- +- Lax cookie parsing in http.cookies could be a security issue when combined + with non-standard cookie handling in some Web browsers. Reported by + Sergey Bobrov. + - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths before checking for a CGI script at that path.