[Python-checkins] cpython (2.7): Lax cookie parsing in http.cookies could be a security issue when

guido.van.rossum python-checkins at python.org
Wed Sep 17 00:45:43 CEST 2014

• Previous message: [Python-checkins] cpython (merge 3.4 -> default): Replace bad ftp URLs in test_urllib2net
• Next message: [Python-checkins] cpython (3.4): consistently use _name_ and _value_; patch from Kiss Gyorgy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/9e765e65e5cb
changeset: 92443:9e765e65e5cb
branch: 2.7
parent: 92431:e6c7a5a94a1d
user: Guido van Rossum <guido at python.org>
date: Tue Sep 16 15:45:36 2014 -0700
summary:
 Lax cookie parsing in http.cookies could be a security issue when
combined with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
files:
 Lib/Cookie.py | 3 ++-
 Lib/test/test_cookie.py | 9 +++++++++
 Misc/ACKS | 1 +
 Misc/NEWS | 3 +++
 4 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/Lib/Cookie.py b/Lib/Cookie.py
--- a/Lib/Cookie.py
+++ b/Lib/Cookie.py
@@ -531,6 +531,7 @@
 _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(
 r"(?x)" # This is a Verbose pattern
+ r"\s*" # Optional whitespace at start of cookie
 r"(?P<key>" # Start of group 'key'
 ""+ _LegalCharsPatt +"+?" # Any word of at least one letter, nongreedy
 r")" # End of group 'key'
@@ -646,7 +647,7 @@
 
 while 0 <= i < n:
 # Start looking for a cookie
- match = patt.search(str, i)
+ match = patt.match(str, i)
 if not match: break # No more cookies
 
 K,V = match.group("key"), match.group("val")
diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py
--- a/Lib/test/test_cookie.py
+++ b/Lib/test/test_cookie.py
@@ -133,6 +133,15 @@
 self.assertEqual(C['Customer']['version'], '1')
 self.assertEqual(C['Customer']['path'], '/acme')
 
+ def test_invalid_cookies(self):
+ # Accepting these could be a security issue
+ C = Cookie.SimpleCookie()
+ for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+ C.load(s)
+ self.assertEqual(dict(C), {})
+ self.assertEqual(C.output(), '')
+
+
 def test_main():
 run_unittest(CookieTests)
 if Cookie.__doc__ is not None:
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -136,6 +136,7 @@
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@
 
 Library
 -------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+ with non-standard cookie handling in some Web browsers. Reported by
+ Sergey Bobrov.
 
 - Issue #21147: sqlite3 now raises an exception if the request contains a null
 character instead of truncate it. Based on patch by Victor Stinner.
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython (merge 3.4 -> default): Replace bad ftp URLs in test_urllib2net
• Next message: [Python-checkins] cpython (3.4): consistently use _name_ and _value_; patch from Kiss Gyorgy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list