Process "evil" JSON cookies which contain double quotes

Note that such cookies are in violation of RFC 2965 / 2616. Fixes LP #563229 on this branch.
zopefoundation · Apr 16, 2010 · 06a2a77 · 06a2a77
1 parent f2640dc
commit 06a2a77
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/doc/CHANGES.txt b/doc/CHANGES.txt
@@ -8,6 +8,9 @@ Zope Changes
 
     Bugs Fixed
 
+      - Process "evil" JSON cookies which contain double quotes in violation
+        of RFC 2965 / 2616.  https://bugs.launchpad.net/zope2/+bug/563229
+
       - Ensure that Acquistion wrapper classes always have a ``__getnewargs__``
         method, even if it is not provided by the underlying ExtensionClass.
 

diff --git a/lib/python/ZPublisher/HTTPRequest.py b/lib/python/ZPublisher/HTTPRequest.py
@@ -1509,7 +1509,7 @@ def parse_cookie(text,
                  qparmre=re.compile(
                     '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)'),
                  parmre=re.compile(
-                    '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)'),
+                    '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)'),
                  paramlessre=re.compile(
                     '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)'),
 
@@ -1534,6 +1534,7 @@ def parse_cookie(text,
 
         else:
             # Match evil MSIE cookies ;)
+            # as well as json
 
             mo_p = parmre.match(text)
 

diff --git a/lib/python/ZPublisher/tests/testHTTPRequest.py b/lib/python/ZPublisher/tests/testHTTPRequest.py
@@ -708,6 +708,20 @@ def testCookieParsing(self):
         self.assertEquals(req.cookies['multi2'], 
 	                              'cookie data with unquoted spaces')
 
+    def test_parses_json_cookies(self):
+        # https://bugs.launchpad.net/zope2/+bug/563229
+        # reports cookies in the wild with embedded double quotes (e.g,
+        # JSON-encoded data structures.
+        env = {'SERVER_NAME': 'testingharnas',
+               'SERVER_PORT': '80',
+               'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; '
+                              'anothercookie=boring; baz'
+              }
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['json'],
+                          '{"intkey":123,"stringkey":"blah"}')
+        self.assertEquals(req.cookies['anothercookie'], 'boring')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',