packages/python-werkzeug
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
python-werkzeug/CVE-2023-23934.patch
starlet-dx 4f09621d4c Fix CVE-2023-23934 and CVE-2023-25577 
(cherry picked from commit 3c46d7c0027f7f0ee2582bc196a2611b9b25404d)
2023-08-15 09:51:08 +08:00

92 lines
2.9 KiB
Diff
Raw Blame History

From 49d56281df8de48a3c48a34e8d914bef31a4125d Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 14 Aug 2023 17:24:57 +0800
Subject: [PATCH 1/1] don't strip leading = when parsing cookie
Reference:
https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
---
src/werkzeug/_internal.py | 13 +++++++++----
src/werkzeug/http.py | 4 ----
tests/test_http.py | 4 +++-
3 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
index 0c8d0d0..0f63492 100644
--- a/src/werkzeug/_internal.py
+++ b/src/werkzeug/_internal.py
@@ -35,7 +35,7 @@ _quote_re = re.compile(rb"[\\].")
_legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
_cookie_re = re.compile(
rb"""
- (?P<key>[^=;]+)
+ (?P<key>[^=;]*)
(?:\s*=\s*
(?P<val>
"(?:[^\\"]|\\.)*" |
@@ -460,16 +460,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
"""Lowlevel cookie parsing facility that operates on bytes."""
i = 0
n = len(b)
+ b += b";"
while i < n:
- match = _cookie_re.search(b + b";", i)
+ match = _cookie_re.match(b, i)
+
if not match:
break
- key = match.group("key").strip()
- value = match.group("val") or b""
i = match.end(0)
+ key = match.group("key").strip()
+
+ if not key:
+ continue
+ value = match.group("val") or b""
yield key, _cookie_unquote(value)
diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
index 45799bf..b7a63d1 100644
--- a/src/werkzeug/http.py
+++ b/src/werkzeug/http.py
@@ -1227,10 +1227,6 @@ def parse_cookie(
def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
for key, val in _cookie_parse_impl(header): # type: ignore
key_str = _to_str(key, charset, errors, allow_none_charset=True)
-
- if not key_str:
- continue
-
val_str = _to_str(val, charset, errors, allow_none_charset=True)
yield key_str, val_str
diff --git a/tests/test_http.py b/tests/test_http.py
index 0d6c183..9ffafdf 100644
--- a/tests/test_http.py
+++ b/tests/test_http.py
@@ -415,7 +415,8 @@ class TestHTTPUtility:
def test_parse_cookie(self):
cookies = http.parse_cookie(
"dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+ "==__Host-eq=bad;__Host-eq=good;"
)
assert cookies.to_dict() == {
"CP": "null*",
@@ -426,6 +427,7 @@ class TestHTTPUtility:
"fo234{": "bar",
"blub": "Blah",
'"__Secure-c"': "d",
+ "__Host-eq": "good",
}
def test_dump_cookie(self):
--
2.30.0
Reference in New Issue View Git Blame Copy Permalink