From: Guido van Rossum Date: Tue, 16 Sep 2014 22:45:36 +0000 (-0700) Subject: Lax cookie parsing in http.cookies could be a security issue when X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c9cdd0ccadfaaac177ab7a866b979db3b073f660;p=python Lax cookie parsing in http.cookies could be a security issue when combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov. --- diff --git a/Lib/Cookie.py b/Lib/Cookie.py index a5239ca6a3..d674437457 100644 --- a/Lib/Cookie.py +++ b/Lib/Cookie.py @@ -531,6 +531,7 @@ class Morsel(dict): _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _CookiePattern = re.compile( r"(?x)" # This is a Verbose pattern + r"\s*" # Optional whitespace at start of cookie r"(?P" # Start of group 'key' ""+ _LegalCharsPatt +"+?" # Any word of at least one letter, nongreedy r")" # End of group 'key' @@ -646,7 +647,7 @@ class BaseCookie(dict): while 0 <= i < n: # Start looking for a cookie - match = patt.search(str, i) + match = patt.match(str, i) if not match: break # No more cookies K,V = match.group("key"), match.group("val") diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py index 5370a8de2b..41ba60f9d2 100644 --- a/Lib/test/test_cookie.py +++ b/Lib/test/test_cookie.py @@ -133,6 +133,15 @@ class CookieTests(unittest.TestCase): self.assertEqual(C['Customer']['version'], '1') self.assertEqual(C['Customer']['path'], '/acme') + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = Cookie.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + def test_main(): run_unittest(CookieTests) if Cookie.__doc__ is not None: diff --git a/Misc/ACKS b/Misc/ACKS index f9a4426b99..1ca04794fc 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -136,6 +136,7 @@ Martin Bless Pablo Bleyer Erik van Blokland Eric Blossom +Sergey Bobrov Finn Bock Paul Boddie Matthew Boedicker diff --git a/Misc/NEWS b/Misc/NEWS index e5f8f76b15..2907c1c7c6 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -21,6 +21,9 @@ Core and Builtins Library ------- +- Lax cookie parsing in http.cookies could be a security issue when combined + with non-standard cookie handling in some Web browsers. Reported by + Sergey Bobrov. - Issue #21147: sqlite3 now raises an exception if the request contains a null character instead of truncate it. Based on patch by Victor Stinner.