From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001 From: David Lord Date: Wed, 10 May 2023 11:33:18 +0000 Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q don't strip leading `=` when parsing cookie "src/werkzeug/sansio/http.py" file is not available in the current recipe version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0 version, this http.py file was only available in the "src/werkzeug/http.py" and we could see the same functions available there which are getting modified in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file. CVE: CVE-2023-23934 Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028] Signed-off-by: Narpat Mali --- CHANGES.rst | 3 +++ src/werkzeug/_internal.py | 13 +++++++++---- src/werkzeug/http.py | 4 ---- tests/test_http.py | 4 +++- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 6e809ba..13ef75b 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,6 +4,9 @@ ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use. +- A cookie header that starts with ``=`` is treated as an empty key and discarded, + rather than stripping the leading ``==``. + Version 2.1.1 ------------- diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index a8b3523..d6290ba 100644 --- a/src/werkzeug/_internal.py +++ b/src/werkzeug/_internal.py @@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _cookie_re = re.compile( rb""" - (?P[^=;]+) + (?P[^=;]*) (?:\s*=\s* (?P "(?:[^\\"]|\\.)*" | @@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]: """Lowlevel cookie parsing facility that operates on bytes.""" i = 0 n = len(b) + b += b";" while i < n: - match = _cookie_re.search(b + b";", i) + match = _cookie_re.match(b, i) + if not match: break - key = match.group("key").strip() - value = match.group("val") or b"" i = match.end(0) + key = match.group("key").strip() + + if not key: + continue + value = match.group("val") or b"" yield key, _cookie_unquote(value) diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py index 9369900..ae133e3 100644 --- a/src/werkzeug/http.py +++ b/src/werkzeug/http.py @@ -1205,10 +1205,6 @@ def parse_cookie( def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: for key, val in _cookie_parse_impl(header): # type: ignore key_str = _to_str(key, charset, errors, allow_none_charset=True) - - if not key_str: - continue - val_str = _to_str(val, charset, errors, allow_none_charset=True) yield key_str, val_str diff --git a/tests/test_http.py b/tests/test_http.py index 5936bfa..59cc179 100644 --- a/tests/test_http.py +++ b/tests/test_http.py @@ -427,7 +427,8 @@ class TestHTTPUtility: def test_parse_cookie(self): cookies = http.parse_cookie( "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" - 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' + 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' + "==__Host-eq=bad;__Host-eq=good;" ) assert cookies.to_dict() == { "CP": "null*", @@ -438,6 +439,7 @@ class TestHTTPUtility: "fo234{": "bar", "blub": "Blah", '"__Secure-c"': "d", + "__Host-eq": "good", } def test_dump_cookie(self): -- 2.40.0