From a67e6c856353c04782f38bca6d6c1c3d3287c653 Mon Sep 17 00:00:00 2001 From: Seth Larson Date: Wed, 22 Apr 2026 14:22:31 -0500 Subject: [PATCH] gh-90309: Base64-encode cookie values embedded in JS (cherry picked from commit 76b3923d688c0efc580658476c5f525ec8735104) Co-authored-by: Seth Larson --- Lib/http/cookies.py | 8 ++ Lib/test/test_http_cookies.py | 29 ++++++---- Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst | 3 + 3 files changed, 27 insertions(+), 13 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst Index: Python-3.6.15/Lib/http/cookies.py =================================================================== --- Python-3.6.15.orig/Lib/http/cookies.py 2026-04-27 18:53:43.176817427 +0200 +++ Python-3.6.15/Lib/http/cookies.py 2026-04-27 18:53:43.346539976 +0200 @@ -416,17 +416,21 @@ return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) def js_output(self, attrs=None): + import base64 # Print javascript output_string = self.OutputString(attrs) if _has_control_character(output_string): raise CookieError("Control characters are not allowed in cookies") + # Base64-encode value to avoid template + # injection in cookie values. + output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") return """ - """ % (output_string.replace('"', r'\"')) + """ % (output_encoded,) def OutputString(self, attrs=None): # Build up our result Index: Python-3.6.15/Lib/test/test_http_cookies.py =================================================================== --- Python-3.6.15.orig/Lib/test/test_http_cookies.py 2026-04-27 18:53:43.177213047 +0200 +++ Python-3.6.15/Lib/test/test_http_cookies.py 2026-04-27 18:53:43.346817911 +0200 @@ -1,5 +1,5 @@ # Simple test suite for http/cookies.py - +import base64 import copy from test.support import (run_unittest, run_doctest, check_warnings, requires_resource, control_characters_c0) @@ -115,17 +115,19 @@ self.assertEqual(C.output(['path']), 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') - self.assertEqual(C.js_output(), r""" + cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') + self.assertEqual(C.js_output(), fr""" """) - self.assertEqual(C.js_output(['path']), r""" + cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') + self.assertEqual(C.js_output(['path']), fr""" """) @@ -209,17 +211,19 @@ self.assertEqual(C.output(['path']), 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') - self.assertEqual(C.js_output(), r""" + expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') + self.assertEqual(C.js_output(), fr""" """) - self.assertEqual(C.js_output(['path']), r""" + expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') + self.assertEqual(C.js_output(['path']), fr""" """) @@ -307,13 +311,16 @@ self.assertEqual( M.output(), "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) + expected_encoded_cookie = base64.b64encode( + ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") + ).decode('ascii') expected_js_output = """ - """ % (i, "%s_coded_val" % i) + """ % (expected_encoded_cookie,) self.assertEqual(M.js_output(), expected_js_output) for i in ["foo bar", "foo@bar"]: # Try some illegal characters Index: Python-3.6.15/Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.6.15/Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst 2026-04-27 18:53:43.347153702 +0200 @@ -0,0 +1,3 @@ +Base64-encode values when embedding cookies to JavaScript using the +:meth:`http.cookies.BaseCookie.js_output` method to avoid injection +and escaping.