diff options
| -rw-r--r-- | Lib/http/cookies.py | 3 | ||||
| -rw-r--r-- | Lib/test/test_http_cookies.py | 9 | ||||
| -rw-r--r-- | Misc/ACKS | 1 | ||||
| -rw-r--r-- | Misc/NEWS | 4 |
4 files changed, 16 insertions, 1 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index ddbcbf877b..28c1161582 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -432,6 +432,7 @@ class Morsel(dict): _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _CookiePattern = re.compile(r""" (?x) # This is a verbose pattern + \s* # Optional whitespace at start of cookie (?P<key> # Start of group 'key' """ + _LegalCharsPatt + r"""+? # Any word of at least one letter ) # End of group 'key' @@ -532,7 +533,7 @@ class BaseCookie(dict): while 0 <= i < n: # Start looking for a cookie - match = patt.search(str, i) + match = patt.match(str, i) if not match: # No more cookies break diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index 1f1ca5852e..30d48983c6 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -132,6 +132,15 @@ class CookieTests(unittest.TestCase): </script> """) + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = cookies.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + class MorselTests(unittest.TestCase): """Tests for the Morsel object.""" @@ -117,6 +117,7 @@ Martin Bless Pablo Bleyer Erik van Blokland Eric Blossom +Sergey Bobrov Finn Bock Paul Boddie Matthew Boedicker @@ -37,6 +37,10 @@ Library strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and ``uniformResourceIdentifier`` (URI). +- Lax cookie parsing in http.cookies could be a security issue when combined + with non-standard cookie handling in some Web browsers. Reported by + Sergey Bobrov. + - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths before checking for a CGI script at that path. |