Process "evil" JSON cookies which contain double quotes

Note that such cookies are in violation of RFC 2965 / 2616. Fixes LP #563229 on this branch.

Process "evil" JSON cookies which contain double quotes
Note that such cookies are in violation of RFC 2965 / 2616. Fixes LP #563229 on this branch.
06a2a774 · Tres Seaver · f2640dce · 06a2a774 · 06a2a774 · 06a2a774
Commit 06a2a774 authored Apr 16, 2010 by Tres Seaver
Showing with 19 additions and 1 deletion

doc/CHANGES.txt doc/CHANGES.txt +3 -0

lib/python/ZPublisher/HTTPRequest.py lib/python/ZPublisher/HTTPRequest.py +2 -1

lib/python/ZPublisher/tests/testHTTPRequest.py lib/python/ZPublisher/tests/testHTTPRequest.py +14 -0

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -8,6 +8,9 @@ Zope Changes

    Bugs Fixed

+      - Process "evil" JSON cookies which contain double quotes in violation
+        of RFC 2965 / 2616.  https://bugs.launchpad.net/zope2/+bug/563229
+
      - Ensure that Acquistion wrapper classes always have a ``__getnewargs__``
        method, even if it is not provided by the underlying ExtensionClass.


--- a/lib/python/ZPublisher/HTTPRequest.py
+++ b/lib/python/ZPublisher/HTTPRequest.py
@@ -1509,7 +1509,7 @@ def parse_cookie(text,
                 qparmre=re.compile(
                    '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)'),
                 parmre=re.compile(
-                    '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)'),
+                    '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)'),
                 paramlessre=re.compile(
                    '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)'),

@@ -1534,6 +1534,7 @@ def parse_cookie(text,

        else:
            # Match evil MSIE cookies ;)
+            # as well as json

            mo_p = parmre.match(text)


--- a/lib/python/ZPublisher/tests/testHTTPRequest.py
+++ b/lib/python/ZPublisher/tests/testHTTPRequest.py
@@ -708,6 +708,20 @@ class ProcessInputsTests(unittest.TestCase):
        self.assertEquals(req.cookies['multi2'], 
 	                              'cookie data with unquoted spaces')

+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
    'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
    'REQUEST_METHOD': 'POST',