Python http.cookies.Morsel Header Injection Vulnerability

A vulnerability in the http.cookies.Morsel class allows user-controlled cookie values and parameters to inject HTTP headers into messages. This issue affects several versions of Python. The vulnerability arises from the absence of proper validation for control characters in cookie names, values, and parameters, which can be exploited to manipulate HTTP headers. The recently released patch addresses this issue by rejecting all control characters in these fields.

Impact

Exploitation of this vulnerability can lead to HTTP header injection, which may be used to manipulate the behavior of the HTTP response or request.

Reproduction

To reproduce this vulnerability, create a SimpleCookie object and load a cookie string that includes control characters in the value. Then, print the cookie object, which will show the injected header. Alternatively, set a cookie value directly with control characters, which will also demonstrate the injection when the cookie is outputted.

Remediation

Users can update to the latest version of Python, where this vulnerability has been patched. Instructions for updating Python can be found in the Python documentation.