Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
2025-09-24 17:33:29 +00:00 · 2014-09-17 00:23:55 +02:00 · 2014-09-17 00:23:55 +02:00 · dad182c16e
commit dad182c16e
parent 860c367c29
4 changed files with 16 additions and 1 deletions
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@ -432,6 +432,7 @@ class Morsel(dict):
 _LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _CookiePattern = re.compile(r"""
    (?x)                           # This is a verbose pattern
+    \s*                            # Optional whitespace at start of cookie
    (?P<key>                       # Start of group 'key'
    """ + _LegalCharsPatt + r"""+?   # Any word of at least one letter
    )                              # End of group 'key'
@ -532,7 +533,7 @@ class BaseCookie(dict):

        while 0 <= i < n:
            # Start looking for a cookie
-            match = patt.search(str, i)
+            match = patt.match(str, i)
            if not match:
                # No more cookies
                break