Commit Graph

51 Commits

Author SHA1 Message Date
Miss Islington (bot) cb6085138a
bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).

LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.

The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to

    \d+-\w+-\d+(\s*\s*\s*)$

Therefore, a long sequence of spaces can trigger bad performance.

Matching a malicious string such as

    LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")

caused catastrophic backtracking.

The fix removes ambiguity about which \s* should match a particular
space.

You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.

    from http.server import BaseHTTPRequestHandler, HTTPServer

    def make_set_cookie_value(n_spaces):
        spaces = " " * n_spaces
        expiry = f"1-c-1{spaces}!"
        return f"b;Expires={expiry}"

    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            self.log_request(204)
            self.send_response_only(204)  GH- Don't bother sending Server and Date
            n_spaces = (
                int(self.path[1:])  GH- Can GET e.g. /100 to test shorter sequences
                if len(self.path) > 1 else
                65506  GH- Max header line length 65536
            )
            value = make_set_cookie_value(n_spaces)
            for i in range(99):  GH- Not necessary, but we can have up to 100 header lines
                self.send_header("Set-Cookie", value)
            self.end_headers()

    if __name__ == "__main__":
        HTTPServer(("", 44020), Handler).serve_forever()

This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.

Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :

    import http.cookiejar, urllib.request
    cj = http.cookiejar.CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    r = opener.open("http://localhost:44020/")

The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):

    import requests
    requests.get("http://localhost:44020/")

* Regression test for http.cookiejar REDoS

If we regress, this test will take a very long time.

* Improve performance of http.cookiejar.ISO_DATE_RE

A string like

"444444" + (" " * 2000) + "A"

could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb85)

Co-authored-by: bcaller <bcaller@users.noreply.github.com>
2019-11-22 06:42:13 -08:00
Xtreak e7b7edf5eb [3.7] bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies (GH-13921) (GH-16092)
* [3.7] bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies (GH-13921)

Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called.

Co-authored-by: Demian Brecht <demianbrecht@gmail.com>

https://bugs.python.org/issue12144

Automerge-Triggered-By: @asvetlov
(cherry picked from commit bb41147)

Co-authored-by: Xtreak <tir.karthi@gmail.com>

* Use warnings module instead of test.support.check_no_warnings

* [3.7] bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies (GH-13921)

Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called.

Co-authored-by: Demian Brecht <demianbrecht@gmail.com>

https://bugs.python.org/issue12144

Automerge-Triggered-By: @asvetlov.
(cherry picked from commit bb41147eab)

Co-authored-by: Xtreak <tir.karthi@gmail.com>
2019-09-13 15:22:12 +03:00
Miss Islington (bot) 97c7d78fda
bpo-35647: Fix path check in cookiejar (GH-11436)
* Refactor cookie path check as per RFC 6265

* Add tests for prefix match of path

* Add news entry

* Fix set_ok_path and refactor tests

* Use slice for last letter
(cherry picked from commit 0e1f1f0105)

Co-authored-by: Xtreak <tir.karthi@gmail.com>
2019-03-10 10:30:35 -07:00
Miss Islington (bot) e5123d81ff bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (GH-12261)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe50635)

Co-authored-by: Xtreak <tir.karthi@gmail.com>
2019-03-09 21:58:25 -05:00
Antoine Pitrou a6a4dc816d bpo-31370: Remove support for threads-less builds (#3385)
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
2017-09-07 18:56:24 +02:00
R David Murray 44b548dda8 #27364: fix "incorrect" uses of escape character in the stdlib.
And most of the tools.

Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
2016-09-08 13:59:53 -04:00
Raymond Hettinger 7ea386e56e Issue 19504: Change "customise" to "customize" American spelling. 2016-08-25 21:11:50 -07:00
Senthil Kumaran d5b47fb8ce Issue #27466: Change time format returned by http.cookie.time2netscape,
confirming the netscape cookie format.
2016-07-10 06:45:38 -07:00
Martin Panter f0564164ba Fix typos in comments, documentation and test method names 2016-05-08 13:48:10 +00:00
Berker Peksag 20be53e5b5 Issue #16181: cookiejar.http2time() now returns None if year is higher than datetime.MAXYEAR 2016-03-14 05:48:02 +02:00
Martin Panter 32acc16cda Merge typo and grammar fixes from 3.4 into 3.5 2015-11-14 01:14:25 +00:00
Martin Panter ac34e09bbf Correct Content-Type syntax in documentation 2015-11-14 00:58:32 +00:00
Serhiy Storchaka a84f6c3dd3 Issue #25523: Merge a-to-an corrections from 3.4. 2015-11-02 14:39:05 +02:00
Serhiy Storchaka d65c9496da Issue #25523: Further a-to-an corrections. 2015-11-02 14:10:23 +02:00
Robert Collins a0e5d981cd Issue #23888: Handle fractional time in cookie expiry. Patch by ssh. 2015-08-04 10:06:29 +12:00
Robert Collins f3d9c315b6 Issue #23888: Handle fractional time in cookie expiry. Patch by ssh. 2015-08-04 10:07:06 +12:00
Serhiy Storchaka 46ba6c8563 Issue #22831: Use "with" to avoid possible fd leaks. 2015-04-04 11:01:02 +03:00
Serhiy Storchaka f7cc3fccad Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.
Patch by Demian Brecht.
2015-03-13 09:09:35 +02:00
Serhiy Storchaka 577fc4e87f Issue #23138: Fixed parsing cookies with absent keys or values in cookiejar.
Patch by Demian Brecht.
2015-03-13 09:05:01 +02:00
Benjamin Peterson 610bc6a211 merge 3.4 (#23221) 2015-01-13 09:20:31 -05:00
Benjamin Peterson 82f34ada45 fix instances of consecutive articles (closes #23221)
Patch by Karan Goel.
2015-01-13 09:17:24 -05:00
Victor Stinner 55e614a2a8 Issue #11957: Explicit parameter name when calling re.split() and re.sub() 2014-10-29 16:58:59 +01:00
Serhiy Storchaka 465e60e654 Issue #22033: Reprs of most Python implemened classes now contain actual
class name instead of hardcoded one.
2014-07-25 23:36:00 +03:00
Serhiy Storchaka 1392df96ef Fixed bugs in reprs of CookieJar and multiprocessing.dummy.Value. 2014-07-22 11:09:36 +03:00
Benjamin Peterson fc45f173a3 merge 3.3 (#20018) 2013-12-18 15:37:03 -06:00
Benjamin Peterson ccedc22769 update url to spec (closes #20018) 2013-12-18 15:35:18 -06:00
Brett Cannon cd171c8e92 Issue #18200: Back out usage of ModuleNotFoundError (8d28d44f3a9a) 2013-07-04 17:43:24 -04:00
Brett Cannon 0a140668fa Issue #18200: Update the stdlib (except tests) to use
ModuleNotFoundError.
2013-06-13 20:57:26 -04:00
Senthil Kumaran 7005b1f90a #17678: Remove the use of a deprecated method http/cookiejar.py. Changing the
usage of get_origin_req_host() to origin_req_host.

Patch by Wei-Cheng Pan
2013-04-09 07:11:07 -07:00
Senthil Kumaran d9fbf36bbd #17678: Fix DeprecationWarning in the http/cookiejar.py by changing the usage
of get_origin_req_host() to origin_req_host.

Patch by Wei-Cheng Pan
2013-04-09 07:07:59 -07:00
Giampaolo Rodola' 2f50aaf2ff modernize some modules' code by using with statement around open() 2013-02-12 02:04:27 +01:00
Andrew Svetlov f7a17b48d7 Replace IOError with OSError (#16715) 2012-12-25 16:47:37 +02:00
Philip Jenvey fd0d3e5d25 more yield from
patch by Serhiy Storchaka
2012-10-01 15:34:31 -07:00
Ezio Melotti 8b15ee0d6e #15980: merge with 3.2. 2012-09-21 16:31:24 +03:00
Ezio Melotti 0847db7c01 #15980: properly escape newlines in docstrings. Patch by Serhiy Storchaka. 2012-09-21 16:30:22 +03:00
Meador Inge da1ffbc4ee Issue #15409: Replace use of deprecated urllib.request.Request methods in http.cookijar
Patch by Flávio Ribeiro.
2012-07-20 19:12:04 -05:00
Éric Araujo 23760e97ed Don’t interpret backslashes in ASCII diagram in a docstring 2011-11-07 17:52:48 +01:00
Ezio Melotti e130a52d8a Remove duplication. 2011-10-19 10:58:56 +03:00
Victor Stinner 56f9a0221b merge 3.1 2011-03-21 02:51:38 +01:00
Victor Stinner 628225c0d1 Issue #5537: Fix time2isoz() and time2netscape() functions of httplib.cookiejar
for expiration year greater than 2038 on 32-bit systems.
2011-03-21 02:38:51 +01:00
Georg Brandl e5d518f252 Merged revisions 83370,83372-83374,83384 via svnmerge from
svn+ssh://svn.python.org/python/branches/py3k

........
  r83370 | georg.brandl | 2010-07-31 23:51:48 +0200 (Sa, 31 Jul 2010) | 5 lines

  #8198: the Helper class should not save the stdin and stdout objects
  at import time, rather by default use the current streams like the
  other APIs that output help.
........
  r83372 | georg.brandl | 2010-08-01 00:05:54 +0200 (So, 01 Aug 2010) | 1 line

  #4007: remove *.a and *.so.X.Y files in "make clean".
........
  r83373 | georg.brandl | 2010-08-01 00:11:11 +0200 (So, 01 Aug 2010) | 1 line

  #5147: revert accidental indentation of header constant for MozillaCookieJar.
........
  r83374 | georg.brandl | 2010-08-01 00:32:52 +0200 (So, 01 Aug 2010) | 1 line

  #5146: handle UID THREAD command correctly.
........
  r83384 | georg.brandl | 2010-08-01 08:32:55 +0200 (So, 01 Aug 2010) | 1 line

  Build properties using lambdas.  This makes test_pyclbr pass again, because it does not think that input and output are methods anymore.
........
2010-08-01 19:09:07 +00:00
Georg Brandl 87a1564f24 #5147: revert accidental indentation of header constant for MozillaCookieJar. 2010-07-31 22:11:11 +00:00
Gregory P. Smith 2c4973dd4a Merged revisions 82985 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k

........
  r82985 | gregory.p.smith | 2010-07-19 16:17:22 -0700 (Mon, 19 Jul 2010) | 3 lines

  Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / in
  the parameters.  (This is jjlee's issue3704.patch ported to py3k)
........
2010-07-25 19:53:20 +00:00
Gregory P. Smith 41e6c3df8b Fixes Issue #3704: http.cookiejar was not properly handling URLs with a / in
the parameters.  (This is jjlee's issue3704.patch ported to py3k)
2010-07-19 23:17:22 +00:00
Benjamin Peterson 3e5cd1d04e Merged revisions 81465-81466,81468,81679,81735,81760,81868,82183 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk

........
  r81465 | georg.brandl | 2010-05-22 06:29:19 -0500 (Sat, 22 May 2010) | 2 lines

  Issue #3924: Ignore cookies with invalid "version" field in cookielib.
........
  r81466 | georg.brandl | 2010-05-22 06:31:16 -0500 (Sat, 22 May 2010) | 1 line

  Underscore the name of an internal utility function.
........
  r81468 | georg.brandl | 2010-05-22 06:43:25 -0500 (Sat, 22 May 2010) | 1 line

  #8635: document enumerate() start parameter in docstring.
........
  r81679 | benjamin.peterson | 2010-06-03 16:21:03 -0500 (Thu, 03 Jun 2010) | 1 line

  use a set for membership testing
........
  r81735 | michael.foord | 2010-06-05 06:46:59 -0500 (Sat, 05 Jun 2010) | 1 line

  Extract error message truncating into a method (unittest.TestCase._truncateMessage).
........
  r81760 | michael.foord | 2010-06-05 14:38:42 -0500 (Sat, 05 Jun 2010) | 1 line

  Issue 8302. SkipTest exception is setUpClass or setUpModule is now reported as a skip rather than an error.
........
  r81868 | benjamin.peterson | 2010-06-09 14:45:04 -0500 (Wed, 09 Jun 2010) | 1 line

  fix code formatting
........
  r82183 | benjamin.peterson | 2010-06-23 15:29:26 -0500 (Wed, 23 Jun 2010) | 1 line

  cpython only gc tests
........
2010-06-27 21:45:24 +00:00
Antoine Pitrou fd036451bf #2834: Change re module semantics, so that str and bytes mixing is forbidden,
and str (unicode) patterns get full unicode matching by default. The re.ASCII
flag is also introduced to ask for ASCII matching instead.
2008-08-19 17:56:33 +00:00
Georg Brandl 029986af24 Fix old urllib/urllib2/urlparse usage. 2008-06-23 11:44:14 +00:00
Jeremy Hylton 1afc169616 Make a new urllib package .
It consists of code from urllib, urllib2, urlparse, and robotparser.
The old modules have all been removed.  The new package has five
submodules: urllib.parse, urllib.request, urllib.response,
urllib.error, and urllib.robotparser.  The urllib.request.urlopen()
function uses the url opener from urllib2.

Note that the unittests have not been renamed for the
beta, but they will be renamed in the future.

Joint work with Senthil Kumaran.
2008-06-18 20:49:58 +00:00
Barry Warsaw 820c120059 Patch for issue 2848, mostly by Humberto Diogenes, with a couple of
small fixes by Barry.  This removes mimetools from the stdlib.
2008-06-12 04:06:45 +00:00
Georg Brandl 7c9b61b116 Remove _FooCookieJar modules and merge their content into http.cookiejar. 2008-05-26 17:56:51 +00:00