Log message for revision 110973: Process "evil" JSON cookies which contain double quotes Such cookies violate RFC 2965 / 2616. Fixes LP #563229.
Changed: U Zope/trunk/doc/CHANGES.rst U Zope/trunk/src/ZPublisher/HTTPRequest.py U Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py -=- Modified: Zope/trunk/doc/CHANGES.rst =================================================================== --- Zope/trunk/doc/CHANGES.rst 2010-04-16 14:31:41 UTC (rev 110972) +++ Zope/trunk/doc/CHANGES.rst 2010-04-16 14:34:54 UTC (rev 110973) @@ -153,6 +153,9 @@ Bugs Fixed ++++++++++ +- LP #563229: Process "evil" JSON cookies which contain double quotes in + violation of RFC 2965 / 2616. + - Document ``Products.PluginIndexes.PathIndex.PathIndex.insertEntry`` as an API for use by subclasses. Modified: Zope/trunk/src/ZPublisher/HTTPRequest.py =================================================================== --- Zope/trunk/src/ZPublisher/HTTPRequest.py 2010-04-16 14:31:41 UTC (rev 110972) +++ Zope/trunk/src/ZPublisher/HTTPRequest.py 2010-04-16 14:34:54 UTC (rev 110973) @@ -1642,7 +1642,7 @@ QPARMRE= re.compile( '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)') PARMRE = re.compile( - '([\x00- ]*([^\x00- ;,="]+)=([^;,"]*)([\x00- ]*[;,])?[\x00- ]*)') + '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)') PARAMLESSRE = re.compile( '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)') def parse_cookie(text, Modified: Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py =================================================================== --- Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py 2010-04-16 14:31:41 UTC (rev 110972) +++ Zope/trunk/src/ZPublisher/tests/testHTTPRequest.py 2010-04-16 14:34:54 UTC (rev 110973) @@ -1003,6 +1003,20 @@ "HTTPRequest.resolve_url should not emit events") + def test_parses_json_cookies(self): + # https://bugs.launchpad.net/zope2/+bug/563229 + # reports cookies in the wild with embedded double quotes (e.g, + # JSON-encoded data structures. + env = {'SERVER_NAME': 'testingharnas', + 'SERVER_PORT': '80', + 'HTTP_COOKIE': 'json={"intkey":123,"stringkey":"blah"}; ' + 'anothercookie=boring; baz' + } + req = self._makeOne(environ=env) + self.assertEquals(req.cookies['json'], + '{"intkey":123,"stringkey":"blah"}') + self.assertEquals(req.cookies['anothercookie'], 'boring') + TEST_ENVIRON = { 'CONTENT_TYPE': 'multipart/form-data; boundary=12345', 'REQUEST_METHOD': 'POST', _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins