diff --git a/CHANGES.rst b/CHANGES.rst index 0d402a3ea..470f70cf7 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -19,6 +19,8 @@ Unreleased :issue:`2529` - ``LimitedStream.read`` works correctly when wrapping a stream that may not return the requested size in one ``read`` call. :issue:`2558` +- A cookie header that starts with ``=`` is treated as an empty key and discarded, + rather than stripping the leading ``==``. Version 2.2.2 diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index 4636647db..f95207ab2 100644 --- a/src/werkzeug/_internal.py +++ b/src/werkzeug/_internal.py @@ -34,7 +34,7 @@ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _cookie_re = re.compile( rb""" - (?P[^=;]+) + (?P[^=;]*) (?:\s*=\s* (?P "(?:[^\\"]|\\.)*" | @@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]: """Lowlevel cookie parsing facility that operates on bytes.""" i = 0 n = len(b) + b += b";" while i < n: - match = _cookie_re.search(b + b";", i) + match = _cookie_re.match(b, i) + if not match: break - key = match.group("key").strip() - value = match.group("val") or b"" i = match.end(0) + key = match.group("key").strip() + + if not key: + continue + value = match.group("val") or b"" yield key, _cookie_unquote(value) diff --git a/src/werkzeug/sansio/http.py b/src/werkzeug/sansio/http.py index 8288882b7..6b2273832 100644 --- a/src/werkzeug/sansio/http.py +++ b/src/werkzeug/sansio/http.py @@ -126,10 +126,6 @@ def parse_cookie( def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: for key, val in _cookie_parse_impl(cookie): # type: ignore key_str = _to_str(key, charset, errors, allow_none_charset=True) - - if not key_str: - continue - val_str = _to_str(val, charset, errors, allow_none_charset=True) yield key_str, val_str diff --git a/tests/test_http.py b/tests/test_http.py index 8de614422..61940a17c 100644 --- a/tests/test_http.py +++ b/tests/test_http.py @@ -412,7 +412,8 @@ def test_is_resource_modified_for_range_requests(self): def test_parse_cookie(self): cookies = http.parse_cookie( "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" - 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' + 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' + "==__Host-eq=bad;__Host-eq=good;" ) assert cookies.to_dict() == { "CP": "null*", @@ -423,6 +424,7 @@ def test_parse_cookie(self): "fo234{": "bar", "blub": "Blah", '"__Secure-c"': "d", + "__Host-eq": "good", } def test_dump_cookie(self):