This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Special set-cookie setting will bypass Cookielib
Type: Stage:
Components: Library (Lib) Versions: Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: LCatro, adrian2, martin.panter, r.david.murray
Priority: low Keywords:

Created on 2018-03-07 03:17 by LCatro, last changed 2022-04-11 14:58 by admin.

Files
File name Uploaded Description Edit
poc.php LCatro, 2018-03-07 03:17
Messages (4)
msg313370 - (view) Author: (LCatro) Date: 2018-03-07 03:17
PoC (PHP Version):

 header('Set-Cookie: test=123; max-age=a');  //  PoC 1
 header('Set-Cookie: test=123; domain=;');  //  PoC 2
 header('Set-Cookie: test=123; version=a;');  //  PoC 3

PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except 

        try:
            v = int(v)                 #  lib/cookielib.py:1429
        except ValueError:
            _debug("   missing or invalid (non-numeric) value for "
                  "max-age attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1434

PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record.
    if k == "domain":                  #  lib/cookielib.py:1411
        if v is None:                  #  lib/cookielib.py:1412
            _debug("   missing value for domain attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1415

PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too.
        version = standard.get("version", None)  #  lib/cookielib.py:1469
        if version is not None:
            try:
                version = int(version)  #  lib/cookielib.py:1472
            except ValueError:
                return None  # invalid version, ignore cookie

There are PoCs involve urllib and requests library .

Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day
msg314061 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2018-03-18 21:44
Can you explain what you think the problem is?  I don't know what your "POC" snippets are trying to demonstrate.
msg340830 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2019-04-25 10:04
I think LCatro is saying that Python should accept the cookies and discard only the offending attributes. This makes sense to me and tends to agree with the specifications, but the three cases seem all seem unimportant to me.

PoC 1, Max-age:

>>> from urllib2 import Request
>>> from test.test_cookielib import FakeResponse
>>> cookies = CookieJar(DefaultCookiePolicy())
>>> request = Request('http://127.0.0.1/requests_test.php')
>>> cookies.extract_cookies(FakeResponse(()), request)  # Issue 12144
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; max-age=a',)), request)  # No cookies returned
[]

RFC 6265 says Max-age should be ignored if not does not start with a digit or minus sign: <https://tools.ietf.org/html/rfc6265#section-5.2.2>. Netscape did not specify Max-age at all. So I agree that the cookie should be retained.

PoC 2, Domain: You have to omit the equals sign to satisfy “v is None” and discard the cookie record, otherwise “v” is just an empty string '':

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain=;',)), request)  # v == ''
[Cookie(version=0, name='test', value='123', port=None, port_specified=False, domain='.', domain_specified=True, domain_initial_dot=False, path='/', path_specified=False, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)]
>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; domain;',)), request)  # v is None
[]

RFC 6265 says both these cases should be treated the same, and recommends ignoring Domain in these cases.

PoC 3, Version:

>>> cookies.make_cookies(FakeResponse(('Set-Cookie: test=123; version=a;',)), request)  # No cookies returned
[]

The Version attribute is only specified by RFC 2109. Since the IETF has obsoleted it, I suggest to deprecate RFC 2109 support in the Python module. That way, if a real problem is demonstrated, we can remove the parts that are causing the problem.
msg413019 - (view) Author: Adrian Chaves (adrian2) Date: 2022-02-10 19:08
So, PoC shows how an empty domain attribute (Domain=) is erroneously turned into a dot (.).

I want to add that a dot (Domain=.) should be turned into an empty string (the specification asks to remove a leading dot if found).
History
Date User Action Args
2022-04-11 14:58:58adminsetgithub: 77198
2022-02-10 19:08:31adrian2setnosy: + adrian2
messages: + msg413019
2019-04-25 10:04:25martin.pantersetpriority: normal -> low
nosy: + martin.panter
messages: + msg340830

2018-03-18 21:44:54r.david.murraysetnosy: + r.david.murray
messages: + msg314061
2018-03-07 03:17:23LCatrocreate