Lax cookie parsing in http.cookies could be a security issue when

combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Guido van Rossum <guido@python.org> 2014-09-16 22:45:36 (GMT)
committer: Guido van Rossum <guido@python.org> 2014-09-16 22:45:36 (GMT)
commit: c9cdd0ccadfaaac177ab7a866b979db3b073f660 (patch)
tree: 00d7284e501ec1c19e471bb15348e6d0ff035ae9 /Lib/test/test_cookie.py
parent: 038fac67c02d85df2d34f1092a51db31f758bb63 (diff)
download: cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.zip
cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.gz
cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py
index 5370a8d..41ba60f 100644
--- a/Lib/test/test_cookie.py
+++ b/Lib/test/test_cookie.py
@@ -133,6 +133,15 @@ class CookieTests(unittest.TestCase):
         self.assertEqual(C['Customer']['version'], '1')
         self.assertEqual(C['Customer']['path'], '/acme')
 
+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = Cookie.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 def test_main():
     run_unittest(CookieTests)
     if Cookie.__doc__ is not None:
author	Guido van Rossum <guido@python.org>	2014-09-16 22:45:36 (GMT)
committer	Guido van Rossum <guido@python.org>	2014-09-16 22:45:36 (GMT)
commit	c9cdd0ccadfaaac177ab7a866b979db3b073f660 (patch)
tree	00d7284e501ec1c19e471bb15348e6d0ff035ae9 /Lib/test/test_cookie.py
parent	038fac67c02d85df2d34f1092a51db31f758bb63 (diff)
download	cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.zip cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.gz cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.bz2