[issue33017] Special set-cookie setting will bypass Cookielib

2022-02-10 Thread Adrian Chaves


Adrian Chaves  added the comment:

So, PoC shows how an empty domain attribute (Domain=) is erroneously turned 
into a dot (.).

I want to add that a dot (Domain=.) should be turned into an empty string (the 
specification asks to remove a leading dot if found).

--
nosy: +adrian2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue33017] Special set-cookie setting will bypass Cookielib

2019-04-25 Thread Martin Panter

Martin Panter  added the comment:

I think LCatro is saying that Python should accept the cookies and discard only 
the offending attributes. This makes sense to me and tends to agree with the 
specifications, but the three cases seem all seem unimportant to me.

PoC 1, Max-age:

>>> from urllib2 import Request
>>> from test.test_cookielib import FakeResponse
>>> cookies = CookieJar(DefaultCookiePolicy())
>>> request = Request('http://127.0.0.1/requests_test.php')
>>> cookies.extract_cookies(FakeResponse(()), request)  # Issue 12144
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; max-age=a',)), 
>>> request)  # No cookies returned
[]

RFC 6265 says Max-age should be ignored if not does not start with a digit or 
minus sign: . Netscape did 
not specify Max-age at all. So I agree that the cookie should be retained.

PoC 2, Domain: You have to omit the equals sign to satisfy “v is None” and 
discard the cookie record, otherwise “v” is just an empty string '':

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain=;',)), 
>>> request)  # v == ''
[Cookie(version=0, name='test', value='123', port=None, port_specified=False, 
domain='.', domain_specified=True, domain_initial_dot=False, path='/', 
path_specified=False, secure=False, expires=None, discard=True, comment=None, 
comment_url=None, rest={}, rfc2109=False)]
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain;',)), 
>>> request)  # v is None
[]

RFC 6265 says both these cases should be treated the same, and recommends 
ignoring Domain in these cases.

PoC 3, Version:

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; version=a;',)), 
>>> request)  # No cookies returned
[]

The Version attribute is only specified by RFC 2109. Since the IETF has 
obsoleted it, I suggest to deprecate RFC 2109 support in the Python module. 
That way, if a real problem is demonstrated, we can remove the parts that are 
causing the problem.

--
nosy: +martin.panter
priority: normal -> low

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue33017] Special set-cookie setting will bypass Cookielib

2018-03-18 Thread R. David Murray

R. David Murray  added the comment:

Can you explain what you think the problem is?  I don't know what your "POC" 
snippets are trying to demonstrate.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue33017] Special set-cookie setting will bypass Cookielib

2018-03-06 Thread LCatro

New submission from LCatro :

PoC (PHP Version):

 header('Set-Cookie: test=123; max-age=a');  //  PoC 1
 header('Set-Cookie: test=123; domain=;');  //  PoC 2
 header('Set-Cookie: test=123; version=a;');  //  PoC 3

PoC 1 will trigger int() convert string to number from max-age 
(lib/cookielib.py:1429).I give this value a string ,it will make except 

try:
v = int(v) #  lib/cookielib.py:1429
except ValueError:
_debug("   missing or invalid (non-numeric) value for "
  "max-age attribute")
bad_cookie = True
break  #  lib/cookielib.py:1434

PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard 
current cookie record.
if k == "domain":  #  lib/cookielib.py:1411
if v is None:  #  lib/cookielib.py:1412
_debug("   missing value for domain attribute")
bad_cookie = True
break  #  lib/cookielib.py:1415

PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will 
discard current cookie record too.
version = standard.get("version", None)  #  lib/cookielib.py:1469
if version is not None:
try:
version = int(version)  #  lib/cookielib.py:1472
except ValueError:
return None  # invalid version, ignore cookie

There are PoCs involve urllib and requests library .

Full Code Analysis (Chinese Version): 
https://github.com/lcatro/Python_CookieLib_0day

--
components: Library (Lib)
files: poc.php
messages: 313370
nosy: LCatro
priority: normal
severity: normal
status: open
title: Special set-cookie setting will bypass Cookielib
versions: Python 2.7
Added file: https://bugs.python.org/file47472/poc.php

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com