cpython: a065ab1c67a8 (original) (raw)

Mercurial > cpython

changeset 93524:a065ab1c67a8

Issue #22796: HTTP cookie parsing is now stricter, in order to protect against potential injection attacks. [#22796]

Antoine Pitrou solipsis@pitrou.net
date	Fri, 21 Nov 2014 01:20:57 +0100
parents	7ce62e80d3cd
children	31fd106bb68a
files	Lib/http/cookies.py Lib/test/test_http_cookies.py Misc/NEWS
diffstat	3 files changed, 48 insertions(+), 23 deletions(-)[+] [-] Lib/http/cookies.py 56 Lib/test/test_http_cookies.py 12 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -533,10 +533,17 @@ class BaseCookie(dict): return def __parse_string(self, str, patt=_CookiePattern):

   i = 0            # Our starting point[](#l1.7)

   n = len(str)     # Length of string[](#l1.8)

   M = None         # current morsel[](#l1.9)

   i = 0                 # Our starting point[](#l1.10)

   n = len(str)          # Length of string[](#l1.11)

   parsed_items = []     # Parsed (type, key, value) triples[](#l1.12)

   morsel_seen = False   # A key=value pair was previously encountered[](#l1.13)

```
   TYPE_ATTRIBUTE = 1[](#l1.15)
```
```
   TYPE_KEYVALUE = 2[](#l1.16)
```

   # We first parse the whole cookie string and reject it if it's[](#l1.18)

   # syntactically invalid (this helps avoid some classes of injection[](#l1.19)

   # attacks).[](#l1.20)
   while 0 <= i < n:[](#l1.21)
       # Start looking for a cookie[](#l1.22)
       match = patt.match(str, i)[](#l1.23)

@@ -547,22 +554,41 @@ class BaseCookie(dict): key, value = match.group("key"), match.group("val") i = match.end(0)

       # Parse the key, value in case it's metainfo[](#l1.28)
       if key[0] == "$":[](#l1.29)

           # We ignore attributes which pertain to the cookie[](#l1.30)

           # mechanism as a whole.  See RFC 2109.[](#l1.31)

           # (Does anyone care?)[](#l1.32)

```
           if M:[](#l1.33)
```

               M[key[1:]] = value[](#l1.34)

           if not morsel_seen:[](#l1.35)

               # We ignore attributes which pertain to the cookie[](#l1.36)

               # mechanism as a whole, such as "$Version".[](#l1.37)

               # See RFC 2965. (Does anyone care?)[](#l1.38)

```
               continue[](#l1.39)
```

           parsed_items.append((TYPE_ATTRIBUTE, key[1:], value))[](#l1.40)
       elif key.lower() in Morsel._reserved:[](#l1.41)

```
           if M:[](#l1.42)
```

               if value is None:[](#l1.43)

                   if key.lower() in Morsel._flags:[](#l1.44)

                       M[key] = True[](#l1.45)

           if not morsel_seen:[](#l1.46)

               # Invalid cookie string[](#l1.47)

```
               return[](#l1.48)
```
```
           if value is None:[](#l1.49)
```

               if key.lower() in Morsel._flags:[](#l1.50)

                   parsed_items.append((TYPE_ATTRIBUTE, key, True))[](#l1.51)
               else:[](#l1.52)

                   M[key] = _unquote(value)[](#l1.53)

                   # Invalid cookie string[](#l1.54)

```
                   return[](#l1.55)
```
```
           else:[](#l1.56)
```

               parsed_items.append((TYPE_ATTRIBUTE, key, _unquote(value)))[](#l1.57)
       elif value is not None:[](#l1.58)

           rval, cval = self.value_decode(value)[](#l1.59)

           parsed_items.append((TYPE_KEYVALUE, key, self.value_decode(value)))[](#l1.60)

```
           morsel_seen = True[](#l1.61)
```
```
       else:[](#l1.62)
```

           # Invalid cookie string[](#l1.63)

```
           return[](#l1.64)
```

   # The cookie string is valid, apply it.[](#l1.66)

   M = None         # current morsel[](#l1.67)

   for tp, key, value in parsed_items:[](#l1.68)

       if tp == TYPE_ATTRIBUTE:[](#l1.69)

           assert M is not None[](#l1.70)

```
           M[key] = value[](#l1.71)
```
```
       else:[](#l1.72)
```

           assert tp == TYPE_KEYVALUE[](#l1.73)

           rval, cval = value[](#l1.74)
           self.__set(key, rval, cval)[](#l1.75)
           M = self[key][](#l1.76)

--- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -141,13 +141,6 @@ class CookieTests(unittest.TestCase): self.assertEqual(C['eggs']['httponly'], 'foo') self.assertEqual(C['eggs']['secure'], 'bar')

def test_bad_attrs(self):

   # issue 16611: make sure we don't break backward compatibility.[](#l2.8)

```
   C = cookies.SimpleCookie()[](#l2.9)
```

   C.load('cookie=with; invalid; version; second=cookie;')[](#l2.10)

   self.assertEqual(C.output(),[](#l2.11)

       'Set-Cookie: cookie=with\r\nSet-Cookie: second=cookie')[](#l2.12)

- def test_extra_spaces(self): C = cookies.SimpleCookie() C.load('eggs = scrambled ; secure ; path = bar ; foo=foo ') @@ -182,7 +175,10 @@ class CookieTests(unittest.TestCase): def test_invalid_cookies(self): # Accepting these could be a security issue C = cookies.SimpleCookie()

   for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):[](#l2.21)

   for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x',[](#l2.22)

             'Set-Cookie: foo=bar', 'Set-Cookie: foo',[](#l2.23)

             'foo=bar; baz', 'baz; foo=bar',[](#l2.24)

             'secure;foo=bar', 'Version=1;foo=bar'):[](#l2.25)
       C.load(s)[](#l2.26)
       self.assertEqual(dict(C), {})[](#l2.27)
       self.assertEqual(C.output(), '')[](#l2.28)

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -188,6 +188,9 @@ Core and Builtins Library ------- +- Issue #22796: HTTP cookie parsing is now stricter, in order to protect

against potential injection attacks. +

Issue #22370: Windows detection in pathlib is now more robust.
Issue #22841: Reject coroutines in asyncio add_signal_handler().