forked from pool/python313
184 lines
8.2 KiB
Diff
184 lines
8.2 KiB
Diff
From 19ca21e044a9485c85b08aab297a5cbb8680b8d1 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Tue, 20 Jan 2026 15:23:42 -0600
|
|
Subject: [PATCH] gh-143919: Reject control characters in http cookies (cherry
|
|
picked from commit 95746b3a13a985787ef53b977129041971ed7f70)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
|
|
Co-authored-by: sobolevn <mail@sobolevn.me>
|
|
---
|
|
Doc/library/http.cookies.rst | 4
|
|
Lib/http/cookies.py | 25 ++++
|
|
Lib/test/test_http_cookies.py | 52 +++++++++-
|
|
Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1
|
|
4 files changed, 73 insertions(+), 9 deletions(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
|
|
|
|
Index: Python-3.13.11/Doc/library/http.cookies.rst
|
|
===================================================================
|
|
--- Python-3.13.11.orig/Doc/library/http.cookies.rst 2025-12-05 17:06:33.000000000 +0100
|
|
+++ Python-3.13.11/Doc/library/http.cookies.rst 2026-01-30 14:44:25.305782794 +0100
|
|
@@ -275,9 +275,9 @@
|
|
Set-Cookie: chips=ahoy
|
|
Set-Cookie: vienna=finger
|
|
>>> C = cookies.SimpleCookie()
|
|
- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
|
|
+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
|
|
>>> print(C)
|
|
- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
|
|
+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
|
|
>>> C = cookies.SimpleCookie()
|
|
>>> C["oreo"] = "doublestuff"
|
|
>>> C["oreo"]["path"] = "/"
|
|
Index: Python-3.13.11/Lib/http/cookies.py
|
|
===================================================================
|
|
--- Python-3.13.11.orig/Lib/http/cookies.py 2025-12-05 17:06:33.000000000 +0100
|
|
+++ Python-3.13.11/Lib/http/cookies.py 2026-01-30 14:44:25.306003494 +0100
|
|
@@ -87,9 +87,9 @@
|
|
such trickeries do not confuse it.
|
|
|
|
>>> C = cookies.SimpleCookie()
|
|
- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
|
|
+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
|
|
>>> print(C)
|
|
- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
|
|
+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
|
|
|
|
Each element of the Cookie also supports all of the RFC 2109
|
|
Cookie attributes. Here's an example which sets the Path
|
|
@@ -170,6 +170,15 @@
|
|
})
|
|
|
|
_is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch
|
|
+_control_character_re = re.compile(r'[\x00-\x1F\x7F]')
|
|
+
|
|
+
|
|
+def _has_control_character(*val):
|
|
+ """Detects control characters within a value.
|
|
+ Supports any type, as header values can be any type.
|
|
+ """
|
|
+ return any(_control_character_re.search(str(v)) for v in val)
|
|
+
|
|
|
|
def _quote(str):
|
|
r"""Quote a string for use in a cookie header.
|
|
@@ -292,12 +301,16 @@
|
|
K = K.lower()
|
|
if not K in self._reserved:
|
|
raise CookieError("Invalid attribute %r" % (K,))
|
|
+ if _has_control_character(K, V):
|
|
+ raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}")
|
|
dict.__setitem__(self, K, V)
|
|
|
|
def setdefault(self, key, val=None):
|
|
key = key.lower()
|
|
if key not in self._reserved:
|
|
raise CookieError("Invalid attribute %r" % (key,))
|
|
+ if _has_control_character(key, val):
|
|
+ raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,))
|
|
return dict.setdefault(self, key, val)
|
|
|
|
def __eq__(self, morsel):
|
|
@@ -333,6 +346,9 @@
|
|
raise CookieError('Attempt to set a reserved key %r' % (key,))
|
|
if not _is_legal_key(key):
|
|
raise CookieError('Illegal key %r' % (key,))
|
|
+ if _has_control_character(key, val, coded_val):
|
|
+ raise CookieError(
|
|
+ "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,))
|
|
|
|
# It's a good key, so save it.
|
|
self._key = key
|
|
@@ -486,7 +502,10 @@
|
|
result = []
|
|
items = sorted(self.items())
|
|
for key, value in items:
|
|
- result.append(value.output(attrs, header))
|
|
+ value_output = value.output(attrs, header)
|
|
+ if _has_control_character(value_output):
|
|
+ raise CookieError("Control characters are not allowed in cookies")
|
|
+ result.append(value_output)
|
|
return sep.join(result)
|
|
|
|
__str__ = output
|
|
Index: Python-3.13.11/Lib/test/test_http_cookies.py
|
|
===================================================================
|
|
--- Python-3.13.11.orig/Lib/test/test_http_cookies.py 2025-12-05 17:06:33.000000000 +0100
|
|
+++ Python-3.13.11/Lib/test/test_http_cookies.py 2026-01-30 14:44:25.306223496 +0100
|
|
@@ -18,10 +18,10 @@
|
|
'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>",
|
|
'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'},
|
|
|
|
- {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"',
|
|
- 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'},
|
|
- 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=\\n;'>''',
|
|
- 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'},
|
|
+ {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"',
|
|
+ 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'},
|
|
+ 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=;'>''',
|
|
+ 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'},
|
|
|
|
# Check illegal cookies that have an '=' char in an unquoted value
|
|
{'data': 'keebler=E=mc2',
|
|
@@ -564,6 +564,50 @@
|
|
r'Set-Cookie: key=coded_val; '
|
|
r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+')
|
|
|
|
+ def test_control_characters(self):
|
|
+ for c0 in support.control_characters_c0():
|
|
+ morsel = cookies.Morsel()
|
|
+
|
|
+ # .__setitem__()
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel[c0] = "val"
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel["path"] = c0
|
|
+
|
|
+ # .setdefault()
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel.setdefault("path", c0)
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel.setdefault(c0, "val")
|
|
+
|
|
+ # .set()
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel.set(c0, "val", "coded-value")
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel.set("path", c0, "coded-value")
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ morsel.set("path", "val", c0)
|
|
+
|
|
+ def test_control_characters_output(self):
|
|
+ # Tests that even if the internals of Morsel are modified
|
|
+ # that a call to .output() has control character safeguards.
|
|
+ for c0 in support.control_characters_c0():
|
|
+ morsel = cookies.Morsel()
|
|
+ morsel.set("key", "value", "coded-value")
|
|
+ morsel._key = c0 # Override private variable.
|
|
+ cookie = cookies.SimpleCookie()
|
|
+ cookie["cookie"] = morsel
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ cookie.output()
|
|
+
|
|
+ morsel = cookies.Morsel()
|
|
+ morsel.set("key", "value", "coded-value")
|
|
+ morsel._coded_value = c0 # Override private variable.
|
|
+ cookie = cookies.SimpleCookie()
|
|
+ cookie["cookie"] = morsel
|
|
+ with self.assertRaises(cookies.CookieError):
|
|
+ cookie.output()
|
|
+
|
|
|
|
def load_tests(loader, tests, pattern):
|
|
tests.addTest(doctest.DocTestSuite(cookies))
|
|
Index: Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ Python-3.13.11/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-30 14:44:25.306394608 +0100
|
|
@@ -0,0 +1 @@
|
|
+Reject control characters in :class:`http.cookies.Morsel` fields and values.
|