[Zope-Checkins] SVN: Zope/trunk/ Process "evil" JSON cookies which contain double quotes

Tres Seaver tseaver at palladion.com
Fri Apr 16 10:34:54 EDT 2010 

Log message for revision 110973:
  Process "evil" JSON cookies which contain double quotes
    
  Such cookies violate RFC 2965 / 2616.
    
  Fixes LP #563229.
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/ZPublisher/HTTPRequest.py
  U   Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2010-04-16 14:31:41 UTC (rev 110972)
+++ Zope/trunk/doc/CHANGES.rst	2010-04-16 14:34:54 UTC (rev 110973)
@@ -153,6 +153,9 @@
 Bugs Fixed
 ++++++++++
 
+- LP #563229:  Process "evil" JSON cookies which contain double quotes in
+  violation of RFC 2965 / 2616.
+
 - Document ``Products.PluginIndexes.PathIndex.PathIndex.insertEntry`` as
   an API for use by subclasses.
 

Modified: Zope/trunk/src/ZPublisher/HTTPRequest.py
===================================================================
--- Zope/trunk/src/ZPublisher/HTTPRequest.py	2010-04-16 14:31:41 UTC (rev 110972)
+++ Zope/trunk/src/ZPublisher/HTTPRequest.py	2010-04-16 14:34:54 UTC (rev 110973)
@@ -1642,7 +1642,7 @@
 QPARMRE= re.compile(
         '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)')
 PARMRE = re.compile(
-        '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)')
+        '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)')
 PARAMLESSRE = re.compile(
         '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)')
 def parse_cookie(text,

Modified: Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py	2010-04-16 14:31:41 UTC (rev 110972)
+++ Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py	2010-04-16 14:34:54 UTC (rev 110973)
@@ -1003,6 +1003,20 @@
             "HTTPRequest.resolve_url should not emit events")
 
 
+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._makeOne(environ=env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',

More information about the Zope-Checkins mailing list