Bug report
Bug description:
76b3923
found by AI/Dirk Mueller at SUSE
4. Regression in http.cookies
The fix for XSS in http.cookies.BaseCookie.js_output uses atob()
in JavaScript to decode a UTF-8 encoded Base64 string. Since atob()
returns a binary string (interpreting bytes as Latin-1), this will
corrupt any cookies containing non-ASCII UTF-8 characters, as the browser
will not correctly decode the multi-byte sequences.
I think this is a valid finding. Basically the base64 conversion part does not correctly convert utf-8 then into latin1.
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs
Bug report
Bug description:
76b3923
found by AI/Dirk Mueller at SUSE
4. Regression in
http.cookiesThe fix for XSS in
http.cookies.BaseCookie.js_outputusesatob()in JavaScript to decode a UTF-8 encoded Base64 string. Since
atob()returns a binary string (interpreting bytes as Latin-1), this will
corrupt any cookies containing non-ASCII UTF-8 characters, as the browser
will not correctly decode the multi-byte sequences.
I think this is a valid finding. Basically the base64 conversion part does not correctly convert utf-8 then into latin1.
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs