#26158 closed Bug (fixed)
cookie parsing fails with python 3.x if request contains unnamed cookie
Reported by: | Andreas Dolk | Owned by: | Tim Graham |
---|---|---|---|
Component: | HTTP handling | Version: | 1.8 |
Severity: | Normal | Keywords: | cookie python3 |
Cc: | will@…, zachborboa@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Example:
from http import cookies good_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE; django_language=en' print(cookies.parse_cookie(good_cookie)) bad_cookie = 'csrftoken=5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE; unnamed; django_language=en' print(cookies.parse_cookie(bad_cookie))
Output:
{'csrftoken': '5lkzK7FCI2iWy2xi7wbZPI7P26qbspIE', 'django_language': 'en'} {}
This parsing method is used during processing WSGI requests (see: django.core.handlers.wsgi.py)
If a request contains at least one nameless cookie, then the parser result is an empty dictionary. The nameless cookie may be present in the client (browser) and this cause at least two serious problems for django:
- django will not see the session cookie (user is asked to login again)
- csrf validation fails with an error message (csrf cookie not set - because the middleware doesn't see it)
It worked, btw., with python 2.7.
Remark:
Nameless cookies shouldn't happen - but in our case there's a different web application on the parent domain that sometimes sets a nameless cookie. Even though that this is a bug, it makes our django app quite unusable due to the cookie parsing and we'd have to ask the users to constantly delete the cookies on their browsers (or avoid the other app). Those cookies are evil but we have to expect them in real life :/
Change History (13)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Django relies on the python core module http.cookies for parsing the cookie strings. Right now, django apps that run with python 3.x are vulnerable and stop working, if the request contains a nameless cookie. It would be great, if the python devs accepted this as a bug (i.e. ignore unnamed cookies and create all the others instead on none). But there's no guarantee and in the ends, it's not python but our django app (and our clients) that stops working...
An alternative could be to split the cookie at ';' and load the cookies one by one. As far as I understand, the correct cookies will be created, the unnamed ones ignored.
So instead of doing
c.load(cookie)
something like
[c.load(_cookie) for _cookie in cookie.split(';')]
(Just for the idea, don't know if escaped semicolons are allowed in cookie values - but it would do the trick of filtering the unnamed cookies and keeping the correct ones)
comment:3 by , 9 years ago
As mentioned in the upstream ticket, blindly splitting on ;
could be a problem because an attacker might sent semicolons inside the cookie itself. Example from upstream: name="some;value"
.
comment:4 by , 9 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
I'll assign this to myself for further investigation.
comment:5 by , 9 years ago
Cc: | added |
---|
comment:6 by , 9 years ago
Cc: | added |
---|
comment:7 by , 9 years ago
It should be safe to hard split on semicolon. name="some;value"
is not valid, even though it's quoted. I think raw double quotes, commas, semicolons and backslashes are _always_ invalid characters in cookie values.
From https://tools.ietf.org/html/rfc6265:
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ; US-ASCII characters excluding CTLs, ; whitespace DQUOTE, comma, semicolon, ; and backslash
comment:8 by , 9 years ago
Has patch: | set |
---|---|
Patch needs improvement: | set |
Collin proposed to remove Django's reliance on Python's cookie parsing.
comment:9 by , 9 years ago
Patch needs improvement: | unset |
---|
comment:10 by , 9 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
This is likely due to https://hg.python.org/cpython/rev/9e765e65e5cb. A related report in Django is #25458, but I transferred it to a Python ticket: https://bugs.python.org/issue25228. I guess any changes to mitigate this issue should probably handled in Python as well. I'm not sure it can be fixed without reintroduced the security issue fixed in Python, but my understanding of the issue is limited.