SimpleCookie.js_output is vulnerable to HTML injection

[trungpaaa]

BPO	46151

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-12-22.13:26:50.501>
labels = ['type-security', 'library', '3.11']
title = 'SimpleCookie.js_output is vulnerable to HTML injection'
updated_at = <Date 2021-12-22.13:26:50.501>
user = 'https://bugs.python.org/trungpaaa'

bugs.python.org fields:

activity = <Date 2021-12-22.13:26:50.501>
actor = 'trungpaaa'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2021-12-22.13:26:50.501>
creator = 'trungpaaa'
dependencies = []
files = []
hgrepos = []
issue_num = 46151
keywords = []
message_count = 1.0
messages = ['409035']
nosy_count = 1.0
nosy_names = ['trungpaaa']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46151'
versions = ['Python 3.11']

Linked PRs

• gh-90309: Base64-encode cookie values embedded in JS #148848

[trungpaaa]

In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.

from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";

// c.js_output()

<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>

We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:

<script type="text/javascript">
    var tmp = 'I am harmless! &#x27;+alert(1);// Or am I?';
</script>

To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.

// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>

After searching around on Github, I think this function is rarely used so making it deprecated is also an option.

[serhiy-storchaka]

I have not found any use of that method on GitHub. Only forks of the stdlib and typeshed, and variables with accidentally same name.

It seems that it was written when support of <script> in browsers was rare. I do not think that "<!-- begin hiding" is valid JavaScript. This code will likely does not work in modern browsers.

I support deprecation of js_output().

[sethmlarson]

I also support deprecation of this function.