Opened 3 weeks ago

Closed 3 weeks ago

#36547 closed New feature (invalid)

Construction of a cookie using user-supplied input

Reported by: pTr Owned by: pTr
Component: Uncategorized Version: 5.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.

from flask import request, make_response


@app.route("/1")
def set_cookie():
    resp = make_response()
    resp.set_cookie(request.args["name"], # BAD: User input is used to set the cookie's name and value
                    value=request.args["name"])
    return resp


@app.route("/2")
def set_cookie_header():
    resp = make_response()
    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['name']};" # BAD: User input is used to set the raw cookie header.
    return resp

https://en.wikipedia.org/wiki/Session_fixation

Change History (2)

comment:2 by Sarah Boyce, 3 weeks ago

Resolution: invalid
Status: assignedclosed

Hello, this ticket is not very clear. This appears to be a "New Feature" request, but the attached PR implies a bug in set_language

Note that if you believe there is a bug, you should have a test/steps to reproduce for us to confirm there is an issue. In this case, lang_code is validated by check_for_language, so I don't think the added quote call is required

Note: See TracTickets for help on using tickets.
Back to Top