[Zope-Checkins] SVN: Zope/branches/2.11/ Process "evil" JSON cookies which contain double quotes

Tres Seaver tseaver at palladion.com
Fri Apr 16 10:09:46 EDT 2010 

Log message for revision 110970:
  Process "evil" JSON cookies which contain double quotes
  
  Note that such cookies are in violation of RFC 2965 / 2616.
  
  Fixes LP #563229 on this branch.
  

Changed:
  U   Zope/branches/2.11/doc/CHANGES.txt
  U   Zope/branches/2.11/lib/python/ZPublisher/HTTPRequest.py
  U   Zope/branches/2.11/lib/python/ZPublisher/tests/testHTTPRequest.py

-=-
Modified: Zope/branches/2.11/doc/CHANGES.txt
===================================================================
--- Zope/branches/2.11/doc/CHANGES.txt	2010-04-16 13:34:37 UTC (rev 110969)
+++ Zope/branches/2.11/doc/CHANGES.txt	2010-04-16 14:09:46 UTC (rev 110970)
@@ -8,6 +8,9 @@
 
     Bugs Fixed
 
+      - Process "evil" JSON cookies which contain double quotes in violation
+        of RFC 2965 / 2616.  https://bugs.launchpad.net/zope2/+bug/563229
+
       - Ensure that Acquistion wrapper classes always have a ``__getnewargs__``
         method, even if it is not provided by the underlying ExtensionClass.
 

Modified: Zope/branches/2.11/lib/python/ZPublisher/HTTPRequest.py
===================================================================
--- Zope/branches/2.11/lib/python/ZPublisher/HTTPRequest.py	2010-04-16 13:34:37 UTC (rev 110969)
+++ Zope/branches/2.11/lib/python/ZPublisher/HTTPRequest.py	2010-04-16 14:09:46 UTC (rev 110970)
@@ -1509,7 +1509,7 @@
                  qparmre=re.compile(
                     '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)'),
                  parmre=re.compile(
-                    '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)'),
+                    '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)'),
                  paramlessre=re.compile(
                     '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)'),
 
@@ -1534,6 +1534,7 @@
 
         else:
             # Match evil MSIE cookies ;)
+            # as well as json
 
             mo_p = parmre.match(text)
 

Modified: Zope/branches/2.11/lib/python/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- Zope/branches/2.11/lib/python/ZPublisher/tests/testHTTPRequest.py	2010-04-16 13:34:37 UTC (rev 110969)
+++ Zope/branches/2.11/lib/python/ZPublisher/tests/testHTTPRequest.py	2010-04-16 14:09:46 UTC (rev 110970)
@@ -708,6 +708,20 @@
         self.assertEquals(req.cookies['multi2'], 
 	                              'cookie data with unquoted spaces')
 
+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',

More information about the Zope-Checkins mailing list