Martin Panter added the comment:
Looking at this a second time, I think I have figured out what the security
report was about. Before the fix (before revision 270f61ec1157), an attacker
could trick the parser into accepting a separate key=value cookie “morsel”,
when it was supposed to be part of some other cookie value. Suppose the “c=d”
text was meant to be associated with the “message” key. Before the security
fix, “c=d” is separated:
>>> SimpleCookie('a=b; messages=[""]c=d;')
<SimpleCookie: a='b' c='d'>
With the fix applied, we now silently abort the parsing, and there is no
spurious “c” key:
>>> SimpleCookie('a=b; messages=[""]c=d;')
<SimpleCookie: a='b'>
This also seems to be described by Sergey Bobrov in Russian at
<https://habrahabr.ru/post/272187/>.
Looking at the proposed patch again, I think the fix might be okay. Some
specifications for cookies allow semicolons to be quoted or escaped, and I was
a bit worried that this might be a problem. But all the scenarios I can imagine
would be no worse with the patch compared to without it.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue25228>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
