From ab00d73bdc48b7a2d06a44b989b4f161310768a6 Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Tue, 18 Apr 2023 16:44:22 -0700
Subject: [PATCH 2/2] Backport fix for cookie prefixed with =

This fixes CVE-2023-23934 by backporting the fix from upstream:
https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028

Resolves: rhbz#2170317
---
 tests/test_http.py    |  6 ++++--
 werkzeug/_internal.py | 11 +++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/tests/test_http.py b/tests/test_http.py
index b77e3c38..c1582fd6 100644
--- a/tests/test_http.py
+++ b/tests/test_http.py
@@ -354,13 +354,15 @@ class TestHTTPUtility(object):
     def test_cookies(self):
         strict_eq(
             dict(http.parse_cookie('dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cd'
-                                   'c762809248d4beed; a=42; b="\\\";"')),
+                                   'c762809248d4beed; a=42; b="\\\";";'
+                                   '==__Host-eq=bad;__Host-eq=good;')),
             {
                 'CP':           u'null*',
                 'PHPSESSID':    u'0a539d42abc001cdc762809248d4beed',
                 'a':            u'42',
                 'dismiss-top':  u'6',
-                'b':            u'\";'
+                'b':            u'\";',
+                '__Host-eq':    u'good',
             }
         )
         rv = http.dump_cookie('foo', 'bar baz blub', 360, httponly=True,
diff --git a/werkzeug/_internal.py b/werkzeug/_internal.py
index 3d1ee090..0bf9fb2a 100644
--- a/werkzeug/_internal.py
+++ b/werkzeug/_internal.py
@@ -44,7 +44,7 @@ _octal_re = re.compile(b'\\\\[0-3][0-7][0-7]')
 _quote_re = re.compile(b'[\\\\].')
 _legal_cookie_chars_re = b'[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]'
 _cookie_re = re.compile(b"""
-    (?P<key>[^=]+)
+    (?P<key>[^=]*)
     \s*=\s*
     (?P<val>
         "(?:[^\\\\"]|\\\\.)*" |
@@ -276,15 +276,18 @@ def _cookie_parse_impl(b):
     """Lowlevel cookie parsing facility that operates on bytes."""
     i = 0
     n = len(b)
+    b += b";"
 
     while i < n:
-        match = _cookie_re.search(b + b';', i)
+        match = _cookie_re.match(b, i)
         if not match:
             break
 
-        key = match.group('key').strip()
-        value = match.group('val')
         i = match.end(0)
+        key = match.group('key').strip()
+        if not key:
+            continue
+        value = match.group('val') or b""
 
         # Ignore parameters.  We have no interest in them.
         if key.lower() not in _cookie_params:
-- 
2.40.0