Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SimpleCookie.js_output is vulnerable to HTML injection #90309

Open
trungpaaa mannequin opened this issue Dec 22, 2021 · 1 comment
Open

SimpleCookie.js_output is vulnerable to HTML injection #90309

trungpaaa mannequin opened this issue Dec 22, 2021 · 1 comment
Labels
3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue

Comments

@trungpaaa
Copy link
Mannequin

trungpaaa mannequin commented Dec 22, 2021

BPO 46151

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-12-22.13:26:50.501>
labels = ['type-security', 'library', '3.11']
title = 'SimpleCookie.js_output is vulnerable to HTML injection'
updated_at = <Date 2021-12-22.13:26:50.501>
user = 'https://bugs.python.org/trungpaaa'

bugs.python.org fields:

activity = <Date 2021-12-22.13:26:50.501>
actor = 'trungpaaa'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2021-12-22.13:26:50.501>
creator = 'trungpaaa'
dependencies = []
files = []
hgrepos = []
issue_num = 46151
keywords = []
message_count = 1.0
messages = ['409035']
nosy_count = 1.0
nosy_names = ['trungpaaa']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46151'
versions = ['Python 3.11']
@trungpaaa
Copy link
Mannequin Author

trungpaaa mannequin commented Dec 22, 2021

In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.

from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";

// c.js_output()

<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>

We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:

<script type="text/javascript">
    var tmp = 'I am harmless! &#x27;+alert(1);// Or am I?';
</script>

To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.

// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>

After searching around on Github, I think this function is rarely used so making it deprecated is also an option.

@trungpaaa trungpaaa mannequin added 3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue labels Dec 22, 2021
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue
Projects
Cookies issues 🍪
Status: No status
Milestone
No milestone
Development

No branches or pull requests
0 participants