[CVE-2018-20852] Cookie domain check returns incorrect results

[bobunderson]

BPO	35121
Nosy	@orsenthil, @vstinner, @larryhastings, @benjaminp, @ned-deily, @ambv, @vadmium, @serhiy-storchaka, @miss-islington, @Windsooon, @tirkarthi, @bobunderson, @ret2libc
PRs	bpo-35121: prefix dot in domain for proper subdomain validation #10258 [3.6] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) #12260 [3.7] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) #12261 [3.4] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) #12279 [3.5] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) #12281 [2.7] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) #13426

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/benjaminp'
closed_at = <Date 2019-06-15.16:38:00.513>
created_at = <Date 2018-10-31.06:52:48.946>
labels = ['type-security', '3.8', '3.7', 'library', 'release-blocker']
title = '[CVE-2018-20852] Cookie domain check returns incorrect results'
updated_at = <Date 2019-07-15.09:42:01.659>
user = 'https://github.com/bobunderson'

bugs.python.org fields:

activity = <Date 2019-07-15.09:42:01.659>
actor = 'vstinner'
assignee = 'benjamin.peterson'
closed = True
closed_date = <Date 2019-06-15.16:38:00.513>
closer = 'xtreak'
components = ['Library (Lib)']
creation = <Date 2018-10-31.06:52:48.946>
creator = '\xe8\xa5\xbf\xe7\x94\xb0\xe9\x9b\x84\xe6\xb2\xbb'
dependencies = []
files = []
hgrepos = []
issue_num = 35121
keywords = ['patch', 'security_issue']
message_count = 30.0
messages = ['328973', '328975', '328981', '328985', '329176', '329179', '332299', '332576', '332583', '332920', '335386', '337588', '337590', '337592', '337593', '337598', '337600', '337601', '338109', '338114', '338152', '344555', '344556', '344560', '345689', '345700', '345736', '346748', '346749', '347951']
nosy_count = 13.0
nosy_names = ['orsenthil', 'vstinner', 'larry', 'benjamin.peterson', 'ned.deily', 'lukasz.langa', 'martin.panter', 'serhiy.storchaka', 'miss-islington', 'Windson Yang', 'xtreak', '\xe8\xa5\xbf\xe7\x94\xb0\xe9\x9b\x84\xe6\xb2\xbb', 'rschiron']
pr_nums = ['10258', '12260', '12261', '12279', '12281', '13426']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue35121'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8']

[bobunderson]

http.cookiejar.DefaultPolicy.domain_return_ok returns incorrect results.

So, HTTP clients send cookies which issued from wrong server.

policy = http.cookiejar.DefaultCookiePolicy()
req = urllib.request.Request('https://xxxfoo.co.jp/')
print(policy.domain_return_ok('foo.co.jp', req)   # should be False, but it returns True

[tirkarthi]

The current set of tests are at

cpython/Lib/test/test_http_cookiejar.py

Line 406 in 0353b4e

def test_domain_return_ok(self):

. A simple set of tuple that can be added based on the report as below :

("http://barfoo.com", ".foo.com", False)
("http://barfoo.com", "foo.com", False) # Fails on master

The check is done at

cpython/Lib/http/cookiejar.py

Line 1176 in 0353b4e

if not (req_host.endswith(domain) or erhn.endswith(domain)):

. There is no check to add '.' before domain if absent. Hence it performs a substring match with the values req_host = ".barfoo.com" and erhn = ".barfoo.com" and domain = "foo.com" so the condition not (req_host.endswith(domain) or erhn.endswith(domain)) fails and doesn't return False. I would suggest adding a check to make sure domain also starts with '.' similar to req_host and erhn thus fixing the issue. I tried the fix and existing tests along with the reported case works fine.

diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
index 0ba8200f32..da7462701b 100644
--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
@@ -1173,6 +1173,8 @@ class DefaultCookiePolicy(CookiePolicy):
             req_host = "."+req_host
         if not erhn.startswith("."):
             erhn = "."+erhn
+        if not domain.startswith("."):
+            domain = "."+domain
         if not (req_host.endswith(domain) or erhn.endswith(domain)):
             #_debug("   request domain %s does not match cookie domain %s",
             #       req_host, domain)

("http://barfoo.com", ".foo.com", False)
("http://barfoo.com", "foo.com", False) # Tests pass with fix

Also tried the script attached in the report

$ cat ../backups/bpo35121.py

import urllib
from http.cookiejar import DefaultCookiePolicy

policy = DefaultCookiePolicy()
req = urllib.request.Request('https://xxxfoo.co.jp/')
print(policy.domain_return_ok('foo.co.jp', req))

# without fix

$ ./python.exe ../backups/bpo35121.py
True

# With domain fix

$ ./python.exe ../backups/bpo35121.py
False

The check was added in 2004 with commit 2a6ba90 . If my fix is correct I am willing to raise a PR for this with test.

Hope it helps!

[bobunderson]

I think that is desired result. thanks!

[tirkarthi]

Thanks for the confirmation. I have created a PR (#10258) with test and added 3.8 as affected version. Please add in if I have missed anything in the PR.

[Windsooon]

I wonder https://github.com/python/cpython/blob/master/Lib/test/test_http_cookiejar.py#L420

("http://foo.bar.com/", "com", True),
("http://foo.com/", "com", True),

are expected behavior?

[tirkarthi]

Good catch Windson! I overlooked the tests. There is also a comment that it's liberal in the test function. Since the code was added in 2006 I don't if it's ok broken to fix this or not. I will let the reviewers take a call then. There is also domain_match and user_domain_match that perform more tests.

This is only a rough check for performance reasons, so it's not too critical as long as it's sufficiently liberal.

Thanks for your input!

[tirkarthi]

Looking further into this the domain validation makes it little more stricter and can have wider implications. For example requests library uses cookiejar to maintain cookies between sessions. One more case is that domain can be empty so only non-empty domains can be prefixed with dot.

A simple server that sets Cookie with value A=LDJDSFLKSDJLDSF

import SimpleHTTPServer
import logging

class MyHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        self.cookieHeader = self.headers.get('Cookie')
        SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)

    def end_headers(self):
        self.send_my_headers()
        SimpleHTTPServer.SimpleHTTPRequestHandler.end_headers(self)

    def send_my_headers(self):
        self.send_header('Set-Cookie', 'A=LDJDSFLKSDJLDSF')

if __name__ == '__main__':
    SimpleHTTPServer.test(HandlerClass=MyHTTPRequestHandler)

Add below host entry to /etc/hosts

127.0.0.1 test.com
127.0.0.1 1.test.com
127.0.0.1 footest.com

Sample script to demonstrate requests behavior change

import requests

with requests.Session() as s:
    cookies = dict(cookies_are='working')
    m = s.get("http://test.com:8000", cookies=cookies)
    print(m.request.headers)
    m = s.get("http://1.test.com:8000", cookies=cookies)
    print(m.request.headers)
    m = s.get("http://footest.com:8000", cookies=cookies)
    print(m.request.headers)

Before patch :

{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF; cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF; cookies_are=working'}

After patch :

{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/', 'Connection': 'keep-alive', 'Cookie': 'A=LDJDSFLKSDJLDSF; cookies_are=working'}
{'User-Agent': 'python-requests/2.11.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie': 'cookies_are=working'}

As with my patch since the cookie is set on test.com while making a request to footest.com the cookie is skipped as part of the patch since footest is not a subdomain of test.com but 1.test.com is a subdomain. This is a behavior change to be decided whether worth doing or to document this since in a client with session like requests module connecting to lot of hosts this can potentially pass cookies of test.com to footest.com. A discussion on requests repo on providing the option for user to set a stricter cookie policy : psf/requests#2576

On testing with curl cookie-jar it seems that the cookies are passed even for the subdomain only when it's set and not as part of top level domain.

[tirkarthi]

Also looking at the docs for different frameworks like Flask and Django they recommend setting Domain attribute only for cross-domain cookies.

From Django docs

Use domain if you want to set a cross-domain cookie. For example, domain="example.com" will set a cookie that is readable by the domains www.example.com, blog.example.com, etc. Otherwise, a cookie will only be readable by the domain that set it.

When there is no domain specified then the frameworks seem to set the cookie only for the host only as per RFC 6265. So domain attribute is set all the time and it's just that if the domain attribute is set explicitly by the server with the set_cookie function in the frameworks then the cookiejar has domain_specified set along with dot prefixed for the domain enabling stricter validations. I don't know about the metrics of setting the domain attribute vs not setting it. Checking with a simple Flask app and set_cookie without domain parameter the cookies are passed to suffix domains. With domain passed to set_cookie has dot prefixed and the cookies are not passed to suffix domains.

I also looked into other implementations

• aiohttp - uses cookiejar but has custom domain checks and update cookie methods at https://github.com/aio-libs/aiohttp/blob/49261c192ff225372dffb39056c3c311714b12c5/aiohttp/cookiejar.py#L141 . Thus it's not affected when tested.
• golang implementation - https://github.com/golang/go/blob/50bd1c4d4eb4fac8ddeb5f063c099daccfb71b26/src/net/http/cookiejar/jar.go#L123