1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Wed, 10 May 2023 11:33:18 +0000
Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
don't strip leading `=` when parsing cookie
"src/werkzeug/sansio/http.py" file is not available in the current recipe
version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
version, this http.py file was only available in the "src/werkzeug/http.py"
and we could see the same functions available there which are getting modified
in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file.
CVE: CVE-2023-23934
Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
CHANGES.rst | 3 +++
src/werkzeug/_internal.py | 13 +++++++++----
src/werkzeug/http.py | 4 ----
tests/test_http.py | 4 +++-
4 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/CHANGES.rst b/CHANGES.rst
index 6e809ba..13ef75b 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,9 @@
``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
attack where a larger number of form/file parts would result in disproportionate
resource use.
+- A cookie header that starts with ``=`` is treated as an empty key and discarded,
+ rather than stripping the leading ``==``.
+
Version 2.1.1
-------------
diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
index a8b3523..d6290ba 100644
--- a/src/werkzeug/_internal.py
+++ b/src/werkzeug/_internal.py
@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
_legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_cookie_re = re.compile(
rb"""
- (?P<key>[^=;]+)
+ (?P<key>[^=;]*)
(?:\s*=\s*
(?P<val>
"(?:[^\\"]|\\.)*" |
@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
"""Lowlevel cookie parsing facility that operates on bytes."""
i = 0
n = len(b)
+ b += b";"
while i < n:
- match = _cookie_re.search(b + b";", i)
+ match = _cookie_re.match(b, i)
+
if not match:
break
- key = match.group("key").strip()
- value = match.group("val") or b""
i = match.end(0)
+ key = match.group("key").strip()
+
+ if not key:
+ continue
+ value = match.group("val") or b""
yield key, _cookie_unquote(value)
diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
index 9369900..ae133e3 100644
--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
@@ -1205,10 +1205,6 @@ def parse_cookie(
def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
for key, val in _cookie_parse_impl(header): # type: ignore
key_str = _to_str(key, charset, errors, allow_none_charset=True)
-
- if not key_str:
- continue
-
val_str = _to_str(val, charset, errors, allow_none_charset=True)
yield key_str, val_str
diff --git a/tests/test_http.py b/tests/test_http.py
index 5936bfa..59cc179 100644
--- a/tests/test_http.py
+++ b/tests/test_http.py
@@ -427,7 +427,8 @@ class TestHTTPUtility:
def test_parse_cookie(self):
cookies = http.parse_cookie(
"dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+ "==__Host-eq=bad;__Host-eq=good;"
)
assert cookies.to_dict() == {
"CP": "null*",
@@ -438,6 +439,7 @@ class TestHTTPUtility:
"fo234{": "bar",
"blub": "Blah",
'"__Secure-c"': "d",
+ "__Host-eq": "good",
}
def test_dump_cookie(self):
--
2.40.0
|