New submission from LCatro <>:

PoC (PHP Version):

 header('Set-Cookie: test=123; max-age=a');  //  PoC 1
 header('Set-Cookie: test=123; domain=;');  //  PoC 2
 header('Set-Cookie: test=123; version=a;');  //  PoC 3

PoC 1 will trigger int() convert string to number from max-age 
(lib/ give this value a string ,it will make except 

            v = int(v)                 #  lib/
        except ValueError:
            _debug("   missing or invalid (non-numeric) value for "
                  "max-age attribute")
            bad_cookie = True
            break                      #  lib/

PoC 2 is a domain None value (lib/ will discard 
current cookie record.
    if k == "domain":                  #  lib/
        if v is None:                  #  lib/
            _debug("   missing value for domain attribute")
            bad_cookie = True
            break                      #  lib/

PoC 3 will trigger a int() convert except(lib/ will 
discard current cookie record too.
        version = standard.get("version", None)  #  lib/
        if version is not None:
                version = int(version)  #  lib/
            except ValueError:
                return None  # invalid version, ignore cookie

There are PoCs involve urllib and requests library .

Full Code Analysis (Chinese Version):

components: Library (Lib)
files: poc.php
messages: 313370
nosy: LCatro
priority: normal
severity: normal
status: open
title: Special set-cookie setting will bypass Cookielib
versions: Python 2.7
Added file:

Python tracker <>
Python-bugs-list mailing list

Reply via email to