[Python-checkins] cpython (merge 3.3 -> 3.4): Lax cookie parsing in http.cookies could be a security issue when combined

antoine.pitrou python-checkins at python.org
Wed Sep 17 00:27:36 CEST 2014

• Previous message: [Python-checkins] cpython: Closes #21270 : We now override tuple methods in mock.call objects.
• Next message: [Python-checkins] cpython (3.3): Lax cookie parsing in http.cookies could be a security issue when combined
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/60cab9d28525
changeset: 92439:60cab9d28525
branch: 3.4
parent: 92435:fcf45ec7863e
parent: 92438:270f61ec1157
user: Antoine Pitrou <solipsis at pitrou.net>
date: Wed Sep 17 00:25:57 2014 +0200
summary:
 Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
files:
 Lib/http/cookies.py | 3 ++-
 Lib/test/test_http_cookies.py | 9 +++++++++
 Misc/ACKS | 1 +
 Misc/NEWS | 4 ++++
 4 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -431,6 +431,7 @@
 _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(r"""
 (?x) # This is a verbose pattern
+ \s* # Optional whitespace at start of cookie
 (?P<key> # Start of group 'key'
 """ + _LegalCharsPatt + r"""+? # Any word of at least one letter
 ) # End of group 'key'
@@ -534,7 +535,7 @@
 
 while 0 <= i < n:
 # Start looking for a cookie
- match = patt.search(str, i)
+ match = patt.match(str, i)
 if not match:
 # No more cookies
 break
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -179,6 +179,15 @@
 </script>
 """)
 
+ def test_invalid_cookies(self):
+ # Accepting these could be a security issue
+ C = cookies.SimpleCookie()
+ for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+ C.load(s)
+ self.assertEqual(dict(C), {})
+ self.assertEqual(C.output(), '')
+
+
 class MorselTests(unittest.TestCase):
 """Tests for the Morsel object."""
 
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -140,6 +140,7 @@
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -32,6 +32,10 @@
 Library
 -------
 
+- Lax cookie parsing in http.cookies could be a security issue when combined
+ with non-standard cookie handling in some Web browsers. Reported by
+ Sergey Bobrov.
+
 - Issue #22384: An exception in Tkinter callback no longer crashes the program
 when it is run with pythonw.exe.
 
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython: Closes #21270 : We now override tuple methods in mock.call objects.
• Next message: [Python-checkins] cpython (3.3): Lax cookie parsing in http.cookies could be a security issue when combined
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list