Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
committer: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
commit: 7d0b8f95e7c6cc70c1a636312099773376337d14 (patch)
tree: e3062b5036879bd2a96db7f5a19b52c15d8033d4 /Lib/test
parent: 89e186f24ea6c10c39e90eb153bf714934be4e62 (diff)
download: cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.zip
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.gz
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 1cfbe74..76e5e9c 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase):
         </script>
         """)
 
+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = cookies.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 class MorselTests(unittest.TestCase):
     """Tests for the Morsel object."""
author	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
committer	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
commit	7d0b8f95e7c6cc70c1a636312099773376337d14 (patch)
tree	e3062b5036879bd2a96db7f5a19b52c15d8033d4 /Lib/test
parent	89e186f24ea6c10c39e90eb153bf714934be4e62 (diff)
download	cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.zip cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.gz cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.bz2