Message313370
PoC (PHP Version):
header('Set-Cookie: test=123; max-age=a'); // PoC 1
header('Set-Cookie: test=123; domain=;'); // PoC 2
header('Set-Cookie: test=123; version=a;'); // PoC 3
PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except
try:
v = int(v) # lib/cookielib.py:1429
except ValueError:
_debug(" missing or invalid (non-numeric) value for "
"max-age attribute")
bad_cookie = True
break # lib/cookielib.py:1434
PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record.
if k == "domain": # lib/cookielib.py:1411
if v is None: # lib/cookielib.py:1412
_debug(" missing value for domain attribute")
bad_cookie = True
break # lib/cookielib.py:1415
PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too.
version = standard.get("version", None) # lib/cookielib.py:1469
if version is not None:
try:
version = int(version) # lib/cookielib.py:1472
except ValueError:
return None # invalid version, ignore cookie
There are PoCs involve urllib and requests library .
Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day |
|
Date |
User |
Action |
Args |
2018-03-07 03:17:23 | LCatro | set | recipients:
+ LCatro |
2018-03-07 03:17:23 | LCatro | set | messageid: <1520392643.04.0.467229070634.issue33017@psf.upfronthosting.co.za> |
2018-03-07 03:17:22 | LCatro | link | issue33017 messages |
2018-03-07 03:17:21 | LCatro | create | |
|