Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
This commit is contained in:
commit
0d54887326
|
@ -431,6 +431,7 @@ class Morsel(dict):
|
|||
_LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
|
||||
_CookiePattern = re.compile(r"""
|
||||
(?x) # This is a verbose pattern
|
||||
\s* # Optional whitespace at start of cookie
|
||||
(?P<key> # Start of group 'key'
|
||||
""" + _LegalCharsPatt + r"""+? # Any word of at least one letter
|
||||
) # End of group 'key'
|
||||
|
@ -534,7 +535,7 @@ class BaseCookie(dict):
|
|||
|
||||
while 0 <= i < n:
|
||||
# Start looking for a cookie
|
||||
match = patt.search(str, i)
|
||||
match = patt.match(str, i)
|
||||
if not match:
|
||||
# No more cookies
|
||||
break
|
||||
|
|
|
@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase):
|
|||
</script>
|
||||
""")
|
||||
|
||||
def test_invalid_cookies(self):
|
||||
# Accepting these could be a security issue
|
||||
C = cookies.SimpleCookie()
|
||||
for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'):
|
||||
C.load(s)
|
||||
self.assertEqual(dict(C), {})
|
||||
self.assertEqual(C.output(), '')
|
||||
|
||||
|
||||
class MorselTests(unittest.TestCase):
|
||||
"""Tests for the Morsel object."""
|
||||
|
||||
|
|
|
@ -142,6 +142,7 @@ Martin Bless
|
|||
Pablo Bleyer
|
||||
Erik van Blokland
|
||||
Eric Blossom
|
||||
Sergey Bobrov
|
||||
Finn Bock
|
||||
Paul Boddie
|
||||
Matthew Boedicker
|
||||
|
|
|
@ -132,6 +132,10 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Lax cookie parsing in http.cookies could be a security issue when combined
|
||||
with non-standard cookie handling in some Web browsers. Reported by
|
||||
Sergey Bobrov.
|
||||
|
||||
- Issue #20537: logging methods now accept an exception instance as well as a
|
||||
Boolean value or exception tuple. Thanks to Yury Selivanov for the patch.
|
||||
|
||||
|
|
Loading…
Reference in New Issue