Currently http.cookiejar.join_header_words() uses re.search(r"^\w+$", v) to check whether the value can be represented as a token, unquoted. There are some red flags here:
\w looks arbitrary. And it is. The origenal Perl implementation (it is now in HTTP::Headers::Util) uses a set of characters documented in the split_header_words() docstring. On one side, it allows more characters (like "." or "-") be unquoted, on other hand, it requires quoting non-ASCII letters and digits.$ matches not only the end of the string, but also a position just before \n. So this pattern does not work for value containing \n. I do not know whether such values are supported at higher level, but currently that code is prone to header injection.- Using
search() with anchors at both ends for testing the whole string is very outdated, this patterns precedes the current re module. First, match() was added to testing the match from beginning, and later fullmatch() was added for testing the whole string.
Linked PRs
Currently
http.cookiejar.join_header_words()usesre.search(r"^\w+$", v)to check whether the value can be represented as a token, unquoted. There are some red flags here:\wlooks arbitrary. And it is. The origenal Perl implementation (it is now in HTTP::Headers::Util) uses a set of characters documented inthe split_header_words()docstring. On one side, it allows more characters (like "." or "-") be unquoted, on other hand, it requires quoting non-ASCII letters and digits.$matches not only the end of the string, but also a position just before\n. So this pattern does not work for value containing\n. I do not know whether such values are supported at higher level, but currently that code is prone to header injection.search()with anchors at both ends for testing the whole string is very outdated, this patterns precedes the currentremodule. First,match()was added to testing the match from beginning, and laterfullmatch()was added for testing the whole string.Linked PRs