Commit e32b20fe authored by Tres Seaver's avatar Tres Seaver

Process "evil" JSON cookies which contain double quotes

Such cookies violate RFC 2965 / 2616.

Fixes LP #563229.
parent 63c7bb8e
......@@ -11,6 +11,9 @@ http://docs.zope.org/zope2/releases/.
Bugs Fixed
++++++++++
- LP #563229: Process "evil" JSON cookies which contain double quotes in
violation of RFC 2965 / 2616.
- Document ``Products.PluginIndexes.PathIndex.PathIndex.insertEntry`` as
an API for use by subclasses.
......
......@@ -1642,7 +1642,7 @@ parse_cookie_lock = allocate_lock()
QPARMRE= re.compile(
'([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)')
PARMRE = re.compile(
'([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)')
'([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)')
PARAMLESSRE = re.compile(
'([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)')
def parse_cookie(text,
......
......@@ -996,6 +996,20 @@ class HTTPRequestTests(unittest.TestCase):
"HTTPRequest.resolve_url should not emit events")
def test_parses_json_cookies(self):
# https://bugs.launchpad.net/zope2/+bug/563229
# reports cookies in the wild with embedded double quotes (e.g,
# JSON-encoded data structures.
env = {'SERVER_NAME': 'testingharnas',
'SERVER_PORT': '80',
'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
'anothercookie=boring; baz'
}
req = self._makeOne(environ=env)
self.assertEquals(req.cookies['json'],
'{"intkey":123,"stringkey":"blah"}')
self.assertEquals(req.cookies['anothercookie'], 'boring')
TEST_ENVIRON = {
'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
'REQUEST_METHOD': 'POST',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment