[New-bugs-announce] [issue33017] Special set-cookie setting will bypass Cookielib
LCatro
report at bugs.python.org
Tue Mar 6 22:17:23 EST 2018
New submission from LCatro <m4i1f0rt3st at sina.cn>:
PoC (PHP Version):
header('Set-Cookie: test=123; max-age=a'); // PoC 1
header('Set-Cookie: test=123; domain=;'); // PoC 2
header('Set-Cookie: test=123; version=a;'); // PoC 3
PoC 1 will trigger int() convert string to number from max-age (lib/cookielib.py:1429).I give this value a string ,it will make except
try:
v = int(v) # lib/cookielib.py:1429
except ValueError:
_debug(" missing or invalid (non-numeric) value for "
"max-age attribute")
bad_cookie = True
break # lib/cookielib.py:1434
PoC 2 is a domain None value (lib/cookielib.py:1412).Cookielib will discard current cookie record.
if k == "domain": # lib/cookielib.py:1411
if v is None: # lib/cookielib.py:1412
_debug(" missing value for domain attribute")
bad_cookie = True
break # lib/cookielib.py:1415
PoC 3 will trigger a int() convert except(lib/cookielib.py:1472).Cookielib will discard current cookie record too.
version = standard.get("version", None) # lib/cookielib.py:1469
if version is not None:
try:
version = int(version) # lib/cookielib.py:1472
except ValueError:
return None # invalid version, ignore cookie
There are PoCs involve urllib and requests library .
Full Code Analysis (Chinese Version): https://github.com/lcatro/Python_CookieLib_0day
----------
components: Library (Lib)
files: poc.php
messages: 313370
nosy: LCatro
priority: normal
severity: normal
status: open
title: Special set-cookie setting will bypass Cookielib
versions: Python 2.7
Added file: https://bugs.python.org/file47472/poc.php
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33017>
_______________________________________
More information about the New-bugs-announce
mailing list