Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / c9cdd0ccadfaaac177ab7a866b979db3b073f660^! / .
commitc9cdd0ccadfaaac177ab7a866b979db3b073f660[log] [tgz]
authorGuido van Rossum <guido@python.org>Tue Sep 16 15:45:36 2014 -0700
committerGuido van Rossum <guido@python.org>Tue Sep 16 15:45:36 2014 -0700
tree00d7284e501ec1c19e471bb15348e6d0ff035ae9
parent038fac67c02d85df2d34f1092a51db31f758bb63 [diff]
Lax cookie parsing in http.cookies could be a security issue when
combined with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.

diff --git a/Lib/Cookie.py b/Lib/Cookie.py
index a5239ca..d674437 100644
--- a/Lib/Cookie.py
+++ b/Lib/Cookie.py

@@ -531,6 +531,7 @@
 _LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(
     r"(?x)"                       # This is a Verbose pattern
+    r"\s*"                        # Optional whitespace at start of cookie
     r"(?P<key>"                   # Start of group 'key'
     ""+ _LegalCharsPatt +"+?"     # Any word of at least one letter, nongreedy
     r")"                          # End of group 'key'
@@ -646,7 +647,7 @@
 
         while 0 <= i < n:
             # Start looking for a cookie
-            match = patt.search(str, i)
+            match = patt.match(str, i)
             if not match: break          # No more cookies
 
             K,V = match.group("key"), match.group("val")

diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py
index 5370a8d..41ba60f 100644
--- a/Lib/test/test_cookie.py
+++ b/Lib/test/test_cookie.py

@@ -133,6 +133,15 @@
         self.assertEqual(C['Customer']['version'], '1')
         self.assertEqual(C['Customer']['path'], '/acme')
 
+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = Cookie.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 def test_main():
     run_unittest(CookieTests)
     if Cookie.__doc__ is not None:

diff --git a/Misc/ACKS b/Misc/ACKS
index f9a4426..1ca0479 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS

@@ -136,6 +136,7 @@
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker

diff --git a/Misc/NEWS b/Misc/NEWS
index e5f8f76..2907c1c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -21,6 +21,9 @@
 
 Library
 -------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
 
 - Issue #21147: sqlite3 now raises an exception if the request contains a null
   character instead of truncate it.  Based on patch by Victor Stinner.