Lax cookie parsing in http.cookies could be a security issue when

combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.

Lax cookie parsing in http.cookies could be a security issue when
combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
c9cdd0cc · Guido van Rossum · 038fac67 · c9cdd0cc · c9cdd0cc · c9cdd0cc
Commit c9cdd0cc authored Sep 16, 2014 by Guido van Rossum
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

Lib/Cookie.py Lib/Cookie.py +2 -1

Lib/test/test_cookie.py Lib/test/test_cookie.py +9 -0

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/Cookie.py
+++ b/Lib/Cookie.py
@@ -531,6 +531,7 @@ class Morsel(dict):
 _LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(
    r"(?x)"                       # This is a Verbose pattern
+    r"\s*"                        # Optional whitespace at start of cookie
    r"(?P<key>"                   # Start of group 'key'
    ""+ _LegalCharsPatt +"+?"     # Any word of at least one letter, nongreedy
    r")"                          # End of group 'key'
@@ -646,7 +647,7 @@ class BaseCookie(dict):

        while 0 <= i < n:
            # Start looking for a cookie
-            match = patt.search(str, i)
+            match = patt.match(str, i)
            if not match: break          # No more cookies

            K,V = match.group("key"), match.group("val")

--- a/Lib/test/test_cookie.py
+++ b/Lib/test/test_cookie.py
@@ -133,6 +133,15 @@ class CookieTests(unittest.TestCase):
        self.assertEqual(C['Customer']['version'], '1')
        self.assertEqual(C['Customer']['path'], '/acme')

+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = Cookie.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 def test_main():
    run_unittest(CookieTests)
    if Cookie.__doc__ is not None:

--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -136,6 +136,7 @@ Martin Bless
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@ Core and Builtins

 Library
 -------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.

 - Issue #21147: sqlite3 now raises an exception if the request contains a null
  character instead of truncate it.  Based on patch by Victor Stinner.