Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Antoine Pitrou <solipsis@pitrou.net> 2014-09-17 00:25:57 +0200
committer: Antoine Pitrou <solipsis@pitrou.net> 2014-09-17 00:25:57 +0200
commit: 637e4544afda57d52c81bddba5486bda9574e6b2 (patch)
tree: d0a5479efbccc96fe8d9256b03769c083098db59
parent: 8fad1676a215bab3e61dccf0f1802ccb17a43a41 (diff)
parent: 7d0b8f95e7c6cc70c1a636312099773376337d14 (diff)
download: cpython-git-637e4544afda57d52c81bddba5486bda9574e6b2.tar.gz
4 files changed, 16 insertions, 1 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 24da5f490c..556d101fb0 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -431,6 +431,7 @@ class Morsel(dict):
 _LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(r"""
     (?x)                           # This is a verbose pattern
+    \s*                            # Optional whitespace at start of cookie
     (?P<key>                       # Start of group 'key'
     """ + _LegalCharsPatt + r"""+?   # Any word of at least one letter
     )                              # End of group 'key'
@@ -534,7 +535,7 @@ class BaseCookie(dict):
 
         while 0 <= i < n:
             # Start looking for a cookie
-            match = patt.search(str, i)
+            match = patt.match(str, i)
             if not match:
                 # No more cookies
                 break
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 1cfbe742e4..76e5e9c4da 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase):
         </script>
         """)
 
+    def test_invalid_cookies(self):
+        # Accepting these could be a security issue
+        C = cookies.SimpleCookie()
+        for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
+            C.load(s)
+            self.assertEqual(dict(C), {})
+            self.assertEqual(C.output(), '')
+
+
 class MorselTests(unittest.TestCase):
     """Tests for the Morsel object."""
 
diff --git a/Misc/ACKS b/Misc/ACKS
index e582b64da5..3f4cccf922 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -140,6 +140,7 @@ Martin Bless
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
index 9ba754a773..e411cdbaf4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -32,6 +32,10 @@ Core and Builtins
 Library
 -------
 
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
+
 - Issue #22384: An exception in Tkinter callback no longer crashes the program
   when it is run with pythonw.exe.
author	Antoine Pitrou <solipsis@pitrou.net>	2014-09-17 00:25:57 +0200
committer	Antoine Pitrou <solipsis@pitrou.net>	2014-09-17 00:25:57 +0200
commit	637e4544afda57d52c81bddba5486bda9574e6b2 (patch)
tree	d0a5479efbccc96fe8d9256b03769c083098db59
parent	8fad1676a215bab3e61dccf0f1802ccb17a43a41 (diff)
parent	7d0b8f95e7c6cc70c1a636312099773376337d14 (diff)
download	cpython-git-637e4544afda57d52c81bddba5486bda9574e6b2.tar.gz