When parsing cookies, only decode the values

Patch utils to fix cookie parsing [CVE-2020-8184]
rack · Jun 15, 2020 · 1f5763d · 1f5763d · utkarsh2102 · Jun 25, 2020
1 parent c9ff970
commit 1f5763d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
@@ -212,8 +212,12 @@ def parse_cookies_header(header)
       # The syntax for cookie headers only supports semicolons
       # User Agent -> Server ==
       # Cookie: SID=31d4d96e407aad42; lang=en-US
-      cookies = parse_query(header, ';') { |s| unescape(s) rescue s }
-      cookies.each_with_object({}) { |(k, v), hash| hash[k] = Array === v ? v.first : v }
+      return {} unless header
+      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
+        next if cookie.empty?
+        key, value = cookie.split('=', 2)
+        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
+      end
     end
 
     def add_cookie_to_header(header, key, value)

diff --git a/test/spec_utils.rb b/test/spec_utils.rb
@@ -524,6 +524,10 @@ def initialize(*)
 
     env = Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar").freeze
     Rack::Utils.parse_cookies(env).must_equal({ "foo" => "bar" })
+
+    env = Rack::MockRequest.env_for("", "HTTP_COOKIE" => "%66oo=baz;foo=bar")
+    cookies = Rack::Utils.parse_cookies(env)
+    cookies.must_equal({ "%66oo" => "baz", "foo" => "bar" })
   end
 
   it "adds new cookies to nil header" do