Can't set JSON formatted values as a cookie value?

[Joe Bowman]

I noticed today while trying to do a quick hack to test the auth
changes I"m working on for oauth 1.0a and oauth 2 that you can't set
cookies with json as the value?

For example, this fails


File "tornadoauth.py", line 110, in _on_auth
self.set_cookie("twitter", '{"test": "val"}')
File "/home/jbowman/git/tornadoauth/tornado/web.py", line 280,
in set_cookie
raise ValueError("Invalid cookie %r: %r" % (name, value))
ValueError: Invalid cookie 'twitter': '{"test": "val"}'

The check is

if re.search(r"[\x00-\x20]", name + value):
# Don't let us accidentally inject bad stuff
raise ValueError("Invalid cookie %r: %r" % (name, value))


I guess I don't understand the security implications here?

[Joe Bowman]

For the record a work around was to tornado.escape.url_escape the
cookie value.

[Ben Darnell]

On Mon, Aug 30, 2010 at 8:10 PM, Joe Bowman <bowman...@gmail.com> wrote:
> The check is
>
>        if re.search(r"[\x00-\x20]", name + value):
>            # Don't let us accidentally inject bad stuff
>            raise ValueError("Invalid cookie %r: %r" % (name, value))
>
>
> I guess I don't understand the security implications here?

Hmm. I'm not sure the author of that code did either :) In addition
to control characters and whitespace, it looks like semicolons and
quotes might also cause problems (looks like Cookie.BaseCookie can
interpret quotes and backslash escapes, but won't generate them).
Personally I always use tornado's secure cookies, which base64-encode
their payload.

-Ben