8000 Make join_header_words() more similar to the original · Issue #130631 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content
Make join_header_words() more similar to the original #130631
New issue
New issue
Closed
Closed
Make join_header_words() more similar to the original#130631
Labels
3.13bugs and security fixes3.14bugs and security fixesstdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error
@serhiy-storchaka

Description

@serhiy-storchaka
serhiy-storchaka
opened on Feb 27, 2025

Currently http.cookiejar.join_header_words() uses re.search(r"^\w+$", v) to check whether the value can be represented as a token, unquoted. There are some red flags here:

  1. \w looks arbitrary. And it is. The original Perl implementation (it is now in HTTP::Headers::Util) uses a set of characters documented in the split_header_words() docstring. On one side, it allows more characters (like "." or "-") be unquoted, on other hand, it requires quoting non-ASCII letters and digits.
  2. $ matches not only the end of the string, but also a position just before \n. So this pattern does not work for value containing \n. I do not know whether such values are supported at higher level, but currently that code is prone to header injection.
  3. Using search() with anchors at both ends for testing the whole string is very outdated, this patterns precedes the current re module. First, match() was added to testing the match from beginning, and later fullmatch() was added for testing the whole string.

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixes3.14bugs and security fixesstdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error

    Projects

    Cookies issues 🍪

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0