[Zope-Checkins] SVN: Zope/branches/2.12/ Process "evil" JSON cookies which contain double quotes

Tres Seaver tseaver at palladion.com
Fri Apr 16 10:28:02 EDT 2010 

Log message for revision 110971:
  Process "evil" JSON cookies which contain double quotes
  
  Such cookies violate RFC 2965 / 2616.
  
  Fixes LP #563229.
  

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/src/ZPublisher/HTTPRequest.py
  U   Zope/branches/2.12/src/ZPublisher/tests/testHTTPRequest.py

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2010-04-16 14:09:46 UTC (rev 110970)
+++ Zope/branches/2.12/doc/CHANGES.rst	2010-04-16 14:28:02 UTC (rev 110971)
@@ -11,6 +11,9 @@
 Bugs Fixed
 ++++++++++
 
+- LP #563229:  Process "evil" JSON cookies which contain double quotes in
+  violation of RFC 2965 / 2616.
+
 - Document ``Products.PluginIndexes.PathIndex.PathIndex.insertEntry`` as
   an API for use by subclasses.
 

Modified: Zope/branches/2.12/src/ZPublisher/HTTPRequest.py
===================================================================
--- Zope/branches/2.12/src/ZPublisher/HTTPRequest.py	2010-04-16 14:09:46 UTC (rev 110970)
+++ Zope/branches/2.12/src/ZPublisher/HTTPRequest.py	2010-04-16 14:28:02 UTC (rev 110971)
@@ -1642,7 +1642,7 @@
 QPARMRE= re.compile(
         '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)')
 PARMRE = re.compile(
-        '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)')
+        '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)')
 PARAMLESSRE = re.compile(
         '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)')
 def parse_cookie(text,

Modified: Zope/branches/2.12/src/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- Zope/branches/2.12/src/ZPublisher/tests/testHTTPRequest.py	2010-04-16 14:09:46 UTC (rev 110970)
+++ Zope/branches/2.12/src/ZPublisher/tests/testHTTPRequest.py	2010-04-16 14:28:02 UTC (rev 110971)
@@ -996,6 +996,20 @@
             "HTTPRequest.resolve_url should not emit events")
 
 
+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._makeOne(environ=env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',

More information about the Zope-Checkins mailing list