Commit Graph

32 Commits

Author SHA1 Message Date
bcaller 1b779bfb85 bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).

LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.

The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to

    \d+-\w+-\d+(\s*\s*\s*)$

Therefore, a long sequence of spaces can trigger bad performance.

Matching a malicious string such as

    LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")

caused catastrophic backtracking.

The fix removes ambiguity about which \s* should match a particular
space.

You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.

    from http.server import BaseHTTPRequestHandler, HTTPServer

    def make_set_cookie_value(n_spaces):
        spaces = " " * n_spaces
        expiry = f"1-c-1{spaces}!"
        return f"b;Expires={expiry}"

    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            self.log_request(204)
            self.send_response_only(204)  # Don't bother sending Server and Date
            n_spaces = (
                int(self.path[1:])  # Can GET e.g. /100 to test shorter sequences
                if len(self.path) > 1 else
                65506  # Max header line length 65536
            )
            value = make_set_cookie_value(n_spaces)
            for i in range(99):  # Not necessary, but we can have up to 100 header lines
                self.send_header("Set-Cookie", value)
            self.end_headers()

    if __name__ == "__main__":
        HTTPServer(("", 44020), Handler).serve_forever()

This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.

Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :

    import http.cookiejar, urllib.request
    cj = http.cookiejar.CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    r = opener.open("http://localhost:44020/")

The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):

    import requests
    requests.get("http://localhost:44020/")

* Regression test for http.cookiejar REDoS

If we regress, this test will take a very long time.

* Improve performance of http.cookiejar.ISO_DATE_RE

A string like

"444444" + (" " * 2000) + "A"

could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
2019-11-22 15:22:11 +01:00
Xtreak bb41147eab bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies (GH-13921)
Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called.

Co-authored-by: Demian Brecht <demianbrecht@gmail.com>


https://bugs.python.org/issue12144



Automerge-Triggered-By: @asvetlov
2019-09-13 04:29:00 -07:00
Xtreak 0e1f1f0105 bpo-35647: Fix path check in cookiejar (#11436)
* Refactor cookie path check as per RFC 6265

* Add tests for prefix match of path

* Add news entry

* Fix set_ok_path and refactor tests

* Use slice for last letter
2019-03-10 10:12:28 -07:00
Xtreak ca7fe50635 bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
2019-03-09 21:09:48 -05:00
Stéphane Wirtel 4b219ce81e bpo-36043: FileCookieJar supports os.PathLike (GH-11945)
https://bugs.python.org/issue36043
2019-03-01 12:40:54 -08:00
Serhiy Storchaka 34fd4c2019
bpo-35133: Fix mistakes when concatenate string literals on different lines. (GH-10284)
Two kind of mistakes:

1. Missed space. After concatenating there is no space between words.

2. Missed comma. Causes unintentional concatenating in a list of strings.
2018-11-05 16:20:25 +02:00
Paul Bailey 4c33997057 bpo-34911: Added support for secure websocket cookies (GH-9734) 2018-10-08 21:49:29 +03:00
R David Murray 44b548dda8 #27364: fix "incorrect" uses of escape character in the stdlib.
And most of the tools.

Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
2016-09-08 13:59:53 -04:00
Martin Panter eb9957065a Issue #27626: Spelling fixes in docs, comments and internal names
Based on patch by Ville Skyttä.
2016-07-28 01:11:04 +00:00
Senthil Kumaran d5b47fb8ce Issue #27466: Change time format returned by http.cookie.time2netscape,
confirming the netscape cookie format.
2016-07-10 06:45:38 -07:00
Martin Panter 46f50726a0 Issue #27076: Doc, comment and tests spelling fixes
Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
2016-05-26 05:35:26 +00:00
Berker Peksag 20be53e5b5 Issue #16181: cookiejar.http2time() now returns None if year is higher than datetime.MAXYEAR 2016-03-14 05:48:02 +02:00
Robert Collins a0e5d981cd Issue #23888: Handle fractional time in cookie expiry. Patch by ssh. 2015-08-04 10:06:29 +12:00
Serhiy Storchaka 577fc4e87f Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.
Patch by Demian Brecht.
2015-03-13 09:05:01 +02:00
Serhiy Storchaka 9d282f6b9f Issue #19606: Use specific asserts in http.cookiejar tests. 2013-11-17 13:45:02 +02:00
Ezio Melotti 85a8629d21 #18466: fix more typos. Patch by Févry Thibault. 2013-08-17 16:57:41 +03:00
Ezio Melotti 1d237e5356 #18484: improve test coverage of http.cookiejar. Patch by Vajrasky Kok. 2013-08-10 18:20:09 +03:00
Ezio Melotti 7ac17f85d3 #18483: add one more date format in test_http2time_formats. Patch by Vajrasky Kok. 2013-08-10 18:07:25 +03:00
Antoine Pitrou 6b4883dec0 PEP 3151 / issue #12555: reworking the OS and IO exception hierarchy. 2011-10-12 02:54:14 +02:00
Benjamin Peterson eef80b6e70 this should be an identity test 2011-07-14 10:03:35 -05:00
Ezio Melotti b3aedd4862 #9424: Replace deprecated assert* methods in the Python test suite. 2010-11-20 19:04:17 +00:00
Brett Cannon 7f462fc835 Fix file closing in test_http_cookiejar. 2010-10-29 23:27:39 +00:00
Gregory P. Smith 41e6c3df8b Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / in
the parameters.  (This is jjlee's issue3704.patch ported to py3k)
2010-07-19 23:17:22 +00:00
Benjamin Peterson 3e5cd1d04e Merged revisions 81465-81466,81468,81679,81735,81760,81868,82183 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r81465 | georg.brandl | 2010-05-22 06:29:19 -0500 (Sat, 22 May 2010) | 2 lines

  Issue #3924: Ignore cookies with invalid "version" field in cookielib.
........
  r81466 | georg.brandl | 2010-05-22 06:31:16 -0500 (Sat, 22 May 2010) | 1 line

  Underscore the name of an internal utility function.
........
  r81468 | georg.brandl | 2010-05-22 06:43:25 -0500 (Sat, 22 May 2010) | 1 line

  #8635: document enumerate() start parameter in docstring.
........
  r81679 | benjamin.peterson | 2010-06-03 16:21:03 -0500 (Thu, 03 Jun 2010) | 1 line

  use a set for membership testing
........
  r81735 | michael.foord | 2010-06-05 06:46:59 -0500 (Sat, 05 Jun 2010) | 1 line

  Extract error message truncating into a method (unittest.TestCase._truncateMessage).
........
  r81760 | michael.foord | 2010-06-05 14:38:42 -0500 (Sat, 05 Jun 2010) | 1 line

  Issue 8302. SkipTest exception is setUpClass or setUpModule is now reported as a skip rather than an error.
........
  r81868 | benjamin.peterson | 2010-06-09 14:45:04 -0500 (Wed, 09 Jun 2010) | 1 line

  fix code formatting
........
  r82183 | benjamin.peterson | 2010-06-23 15:29:26 -0500 (Wed, 23 Jun 2010) | 1 line

  cpython only gc tests
........
2010-06-27 21:45:24 +00:00
Ezio Melotti b58e0bd8bb use assert[Not]In where appropriate 2010-01-23 15:40:09 +00:00
Benjamin Peterson 577473fe68 use assert[Not]In where appropriate
A patch from Dave Malcolm.
2010-01-19 00:09:57 +00:00
Benjamin Peterson c9c0f201fe convert old fail* assertions to assert* 2009-06-30 23:06:06 +00:00
Jeremy Hylton 6c5e28c383 Simplify the Request class. The basic components of the parsed
Request are now available as public attributes, e.g. full_url and
host.  The accessor methods are deprecated.  The implementation
replace the complicated __getattr__ machinery with a _parse() method.

The response from an HTTP request is now an HTTPResponse instance
instead of an addinfourl() wrapper instance.  The wrapper provided
minimal extract functionality and was undocumented.  The API of
addinfourl() was preserved, except for close hooks, by adding a few
methods and public attributes to the HTTPResponse class.
2009-03-31 14:35:53 +00:00
Guido van Rossum 52dbbb9068 - Issue #3300: make urllib.parse.[un]quote() default to UTF-8.
Code contributed by Matt Giuca.  quote() now encodes the input
  before quoting, unquote() decodes after unquoting.  There are
  new arguments to change the encoding and errors settings.
  There are also new APIs to skip the encode/decode steps.
  [un]quote_plus() are also affected.
2008-08-18 21:44:30 +00:00
Jeremy Hylton 1afc169616 Make a new urllib package .
It consists of code from urllib, urllib2, urlparse, and robotparser.
The old modules have all been removed.  The new package has five
submodules: urllib.parse, urllib.request, urllib.response,
urllib.error, and urllib.robotparser.  The urllib.request.urlopen()
function uses the url opener from urllib2.

Note that the unittests have not been renamed for the
beta, but they will be renamed in the future.

Joint work with Senthil Kumaran.
2008-06-18 20:49:58 +00:00
Barry Warsaw 820c120059 Patch for issue 2848, mostly by Humberto Diogenes, with a couple of
small fixes by Barry.  This removes mimetools from the stdlib.
2008-06-12 04:06:45 +00:00
Georg Brandl 2442015af2 Create http package. #2883. 2008-05-26 16:32:26 +00:00