Commit dad182c1 authored by Antoine Pitrou's avatar Antoine Pitrou

Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
parent 860c367c
......@@ -432,6 +432,7 @@ class Morsel(dict):
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_CookiePattern = re.compile(r"""
(?x) # This is a verbose pattern
\s* # Optional whitespace at start of cookie
(?P<key> # Start of group 'key'
""" + _LegalCharsPatt + r"""+? # Any word of at least one letter
) # End of group 'key'
......@@ -532,7 +533,7 @@ class BaseCookie(dict):
while 0 <= i < n:
# Start looking for a cookie
match = patt.search(str, i)
match = patt.match(str, i)
if not match:
# No more cookies
break
......
......@@ -132,6 +132,15 @@ class CookieTests(unittest.TestCase):
</script>
""")
def test_invalid_cookies(self):
# Accepting these could be a security issue
C = cookies.SimpleCookie()
for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
C.load(s)
self.assertEqual(dict(C), {})
self.assertEqual(C.output(), '')
class MorselTests(unittest.TestCase):
"""Tests for the Morsel object."""
......
......@@ -117,6 +117,7 @@ Martin Bless
Pablo Bleyer
Erik van Blokland
Eric Blossom
Sergey Bobrov
Finn Bock
Paul Boddie
Matthew Boedicker
......
......@@ -37,6 +37,10 @@ Library
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
- Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by
Sergey Bobrov.
- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
before checking for a CGI script at that path.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment