summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2014-09-16 22:23:55 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2014-09-16 22:23:55 (GMT)
commit7d0b8f95e7c6cc70c1a636312099773376337d14 (patch)
treee3062b5036879bd2a96db7f5a19b52c15d8033d4
parent89e186f24ea6c10c39e90eb153bf714934be4e62 (diff)
downloadcpython-7d0b8f95e7c6cc70c1a636312099773376337d14.zip
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.gz
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.bz2
Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
-rw-r--r--Lib/http/cookies.py3
-rw-r--r--Lib/test/test_http_cookies.py9
-rw-r--r--Misc/ACKS1
-rw-r--r--Misc/NEWS4
4 files changed, 16 insertions, 1 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 24da5f4..556d101 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -431,6 +431,7 @@ class Morsel(dict):
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_CookiePattern = re.compile(r"""
(?x) # This is a verbose pattern
+ \s* # Optional whitespace at start of cookie
(?P<key> # Start of group 'key'
""" + _LegalCharsPatt + r"""+? # Any word of at least one letter
) # End of group 'key'
@@ -534,7 +535,7 @@ class BaseCookie(dict):
while 0 <= i < n:
# Start looking for a cookie
- match = patt.search(str, i)
+ match = patt.match(str, i)
if not match:
# No more cookies
break
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 1cfbe74..76e5e9c 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase):
</script>
""")
+ def test_invalid_cookies(self):
+ # Accepting these could be a security issue
+ C = cookies.SimpleCookie()
+ for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+ C.load(s)
+ self.assertEqual(dict(C), {})
+ self.assertEqual(C.output(), '')
+
+
class MorselTests(unittest.TestCase):
"""Tests for the Morsel object."""
diff --git a/Misc/ACKS b/Misc/ACKS
index eeefc81..d1ebba7 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -131,6 +131,7 @@ Martin Bless
Pablo Bleyer
Erik van Blokland
Eric Blossom
+Sergey Bobrov
Finn Bock
Paul Boddie
Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
index 1b72607..1f389f8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,10 @@ Core and Builtins
Library
-------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+ with non-standard cookie handling in some Web browsers. Reported by
+ Sergey Bobrov.
+
- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
before checking for a CGI script at that path.