From: David Lord Date: Tue, 31 Jan 2023 14:29:34 -0800 Subject: don't strip leading = when parsing cookie Origin: https://github.com/pallets/werkzeug/commit/8c2b4b82d0cade0d37e6a88e2cd2413878e8ebd4 Bug-Debian: https://bugs.debian.org/1031370 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-23934 --- CHANGES.rst | 2 ++ src/werkzeug/_internal.py | 13 +++++++++---- src/werkzeug/sansio/http.py | 4 ---- tests/test_http.py | 4 +++- 4 files changed, 14 insertions(+), 9 deletions(-) --- a/src/werkzeug/_internal.py +++ b/src/werkzeug/_internal.py @@ -40,7 +40,7 @@ _quote_re = re.compile(br"[\\].") _legal_cookie_chars_re = br"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _cookie_re = re.compile( br""" - (?P[^=;]+) + (?P[^=;]*) (?:\s*=\s* (?P "(?:[^\\"]|\\.)*" | @@ -316,16 +316,21 @@ def _cookie_parse_impl(b): """Lowlevel cookie parsing facility that operates on bytes.""" i = 0 n = len(b) + b += b";" while i < n: - match = _cookie_re.search(b + b";", i) + match = _cookie_re.match(b, i) + if not match: break - key = match.group("key").strip() - value = match.group("val") or b"" i = match.end(0) + key = match.group("key").strip() + + if not key: + continue + value = match.group("val") or b"" yield _cookie_unquote(key), _cookie_unquote(value) --- a/tests/test_http.py +++ b/tests/test_http.py @@ -446,6 +446,7 @@ class TestHTTPUtility(object): cookies = http.parse_cookie( "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" ' a=42; b="\\";"; ; fo234{=bar;blub=Blah;' + "==__Host-eq=bad;__Host-eq=good;" ) assert cookies.to_dict() == { "CP": u"null*", @@ -455,6 +456,7 @@ class TestHTTPUtility(object): "b": u'";', "fo234{": u"bar", "blub": u"Blah", + "__Host-eq": "good", } def test_dump_cookie(self):