The middleware will echo any received value of the anoncsrf cookie in the Set-Cookie response as there seems to be no validation its value. This is a bit similar to a session fixation attack but i can't think of an easy way of exploiting this because the cookie must be already there - the ability of echoing an arbitrary string could however be used in some attacks against TLS and possibly DoS.
Request:
Cookie: anoncsrf=%0d%0a%00asd
Response:
Set-Cookie: anoncsrf=%0d%0a%00asd; expires=Fri, 28-Apr-2017 16:10:05 GMT;
httponly; Max-Age=3600; Path=/; secure
The following code in init.py:151 should probably not echo the cookie value if it wasn't set by the server or at least validate its lenght and charset:
if use_anon_cookie:
if ANON_COOKIE in request.COOKIES:
key = request.COOKIES[ANON_COOKIE]
...
if use_anon_cookie:
# Set or reset the cache and cookie timeouts.
response.set_cookie(ANON_COOKIE, key, max_age=ANON_TIMEOUT,
httponly=True, secure=request.is_secure())
The middleware will echo any received value of the
anoncsrfcookie in theSet-Cookieresponse as there seems to be no validation its value. This is a bit similar to a session fixation attack but i can't think of an easy way of exploiting this because the cookie must be already there - the ability of echoing an arbitrary string could however be used in some attacks against TLS and possibly DoS.Request:
Response:
The following code in init.py:151 should probably not echo the cookie value if it wasn't set by the server or at least validate its lenght and charset: