Message 313370 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	LCatro
Recipients	LCatro
Date	2018-03-07.03:17:21
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1520392643.04.0.467229070634.issue33017@psf.upfronthosting.co.za>
In-reply-to

Content
PoC (PHP Version): header('Set-Cookie: test=123; max-age=a'); // PoC 1 header('Set-Cookie: test=123; domain=;'); // PoC 2 header('Set-Cookie: test=123; version=a;'); // PoC 3 PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except try: v = int(v) # lib/cookielib.py:1429 except ValueError: _debug(" missing or invalid (non-numeric) value for " "max-age attribute") bad_cookie = True break # lib/cookielib.py:1434 PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record. if k == "domain": # lib/cookielib.py:1411 if v is None: # lib/cookielib.py:1412 _debug(" missing value for domain attribute") bad_cookie = True break # lib/cookielib.py:1415 PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too. version = standard.get("version", None) # lib/cookielib.py:1469 if version is not None: try: version = int(version) # lib/cookielib.py:1472 except ValueError: return None # invalid version, ignore cookie There are PoCs involve urllib and requests library . Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day

PoC (PHP Version):

 header('Set-Cookie: test=123; max-age=a');  //  PoC 1
 header('Set-Cookie: test=123; domain=;');  //  PoC 2
 header('Set-Cookie: test=123; version=a;');  //  PoC 3

PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except 

        try:
            v = int(v)                 #  lib/cookielib.py:1429
        except ValueError:
            _debug("   missing or invalid (non-numeric) value for "
                  "max-age attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1434

PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record.
    if k == "domain":                  #  lib/cookielib.py:1411
        if v is None:                  #  lib/cookielib.py:1412
            _debug("   missing value for domain attribute")
            bad_cookie = True
            break                      #  lib/cookielib.py:1415

PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too.
        version = standard.get("version", None)  #  lib/cookielib.py:1469
        if version is not None:
            try:
                version = int(version)  #  lib/cookielib.py:1472
            except ValueError:
                return None  # invalid version, ignore cookie

There are PoCs involve urllib and requests library .

Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day

History
Date	User	Action	Args
2018-03-07 03:17:23	LCatro	set	recipients: + LCatro
2018-03-07 03:17:23	LCatro	set	messageid: <1520392643.04.0.467229070634.issue33017@psf.upfronthosting.co.za>
2018-03-07 03:17:22	LCatro	link	issue33017 messages
2018-03-07 03:17:21	LCatro	create