6e6cf25aba
Fix for leading = in cookies from upstream patch on 2.2.3:
cf275f42ac
Resolves: rhbz#2170317
75 lines
2.5 KiB
Diff
75 lines
2.5 KiB
Diff
From ab00d73bdc48b7a2d06a44b989b4f161310768a6 Mon Sep 17 00:00:00 2001
|
|
From: "Brian C. Lane" <bcl@redhat.com>
|
|
Date: Tue, 18 Apr 2023 16:44:22 -0700
|
|
Subject: [PATCH 2/2] Backport fix for cookie prefixed with =
|
|
|
|
This fixes CVE-2023-23934 by backporting the fix from upstream:
|
|
https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
|
|
|
|
Resolves: rhbz#2170317
|
|
---
|
|
tests/test_http.py | 6 ++++--
|
|
werkzeug/_internal.py | 11 +++++++----
|
|
2 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/tests/test_http.py b/tests/test_http.py
|
|
index b77e3c38..c1582fd6 100644
|
|
--- a/tests/test_http.py
|
|
+++ b/tests/test_http.py
|
|
@@ -354,13 +354,15 @@ class TestHTTPUtility(object):
|
|
def test_cookies(self):
|
|
strict_eq(
|
|
dict(http.parse_cookie('dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cd'
|
|
- 'c762809248d4beed; a=42; b="\\\";"')),
|
|
+ 'c762809248d4beed; a=42; b="\\\";";'
|
|
+ '==__Host-eq=bad;__Host-eq=good;')),
|
|
{
|
|
'CP': u'null*',
|
|
'PHPSESSID': u'0a539d42abc001cdc762809248d4beed',
|
|
'a': u'42',
|
|
'dismiss-top': u'6',
|
|
- 'b': u'\";'
|
|
+ 'b': u'\";',
|
|
+ '__Host-eq': u'good',
|
|
}
|
|
)
|
|
rv = http.dump_cookie('foo', 'bar baz blub', 360, httponly=True,
|
|
diff --git a/werkzeug/_internal.py b/werkzeug/_internal.py
|
|
index 3d1ee090..0bf9fb2a 100644
|
|
--- a/werkzeug/_internal.py
|
|
+++ b/werkzeug/_internal.py
|
|
@@ -44,7 +44,7 @@ _octal_re = re.compile(b'\\\\[0-3][0-7][0-7]')
|
|
_quote_re = re.compile(b'[\\\\].')
|
|
_legal_cookie_chars_re = b'[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]'
|
|
_cookie_re = re.compile(b"""
|
|
- (?P<key>[^=]+)
|
|
+ (?P<key>[^=]*)
|
|
\s*=\s*
|
|
(?P<val>
|
|
"(?:[^\\\\"]|\\\\.)*" |
|
|
@@ -276,15 +276,18 @@ def _cookie_parse_impl(b):
|
|
"""Lowlevel cookie parsing facility that operates on bytes."""
|
|
i = 0
|
|
n = len(b)
|
|
+ b += b";"
|
|
|
|
while i < n:
|
|
- match = _cookie_re.search(b + b';', i)
|
|
+ match = _cookie_re.match(b, i)
|
|
if not match:
|
|
break
|
|
|
|
- key = match.group('key').strip()
|
|
- value = match.group('val')
|
|
i = match.end(0)
|
|
+ key = match.group('key').strip()
|
|
+ if not key:
|
|
+ continue
|
|
+ value = match.group('val') or b""
|
|
|
|
# Ignore parameters. We have no interest in them.
|
|
if key.lower() not in _cookie_params:
|
|
--
|
|
2.40.0
|
|
|