New submission from LCatro <[email protected]>:
PoC (PHP Version):
header('Set-Cookie: test=123; max-age=a'); // PoC 1
header('Set-Cookie: test=123; domain=;'); // PoC 2
header('Set-Cookie: test=123; version=a;'); // PoC 3
PoC 1 will trigger int() convert string to number from max-age
(lib/cookielib.py:1429).I give this value a string ,it will make except
try:
v = int(v) # lib/cookielib.py:1429
except ValueError:
_debug(" missing or invalid (non-numeric) value for "
"max-age attribute")
bad_cookie = True
break # lib/cookielib.py:1434
PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard
current cookie record.
if k == "domain": # lib/cookielib.py:1411
if v is None: # lib/cookielib.py:1412
_debug(" missing value for domain attribute")
bad_cookie = True
break # lib/cookielib.py:1415
PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will
discard current cookie record too.
version = standard.get("version", None) # lib/cookielib.py:1469
if version is not None:
try:
version = int(version) # lib/cookielib.py:1472
except ValueError:
return None # invalid version, ignore cookie
There are PoCs involve urllib and requests library .
Full Code Analysis (Chinese Version):
https://github.com/lcatro/Python_CookieLib_0day
----------
components: Library (Lib)
files: poc.php
messages: 313370
nosy: LCatro
priority: normal
severity: normal
status: open
title: Special set-cookie setting will bypass Cookielib
versions: Python 2.7
Added file: https://bugs.python.org/file47472/poc.php
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue33017>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
