CVE-2016-7401: CSRF protection bypass on a site with Google Analytics

[kazeburo]

https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
https://hackerone.com/reports/26647
(japanese) https://gist.github.com/mala/457a25650950d4daf4144f98159802cc

An interaction between Google Analytics and web server's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

Cookie::Baker should remove , from delimiter regexp. And also Plack/t/Plack-Request/cookie.t needs to be fixed.

$ COOKIE_BAKER_PP=1 perl -I./lib -I../Cookie-Baker/lib t/Plack-Request/cookie.t
ok 1 - non-existing keys return undef
ok 2
ok 3
ok 4
ok 5 - When we get multiple values we return the first one (which e.g. Apache does too)
ok 6
ok 7
ok 8
ok 9
ok 10
ok 11
ok 12
ok 13
not ok 14
#   Failed test at t/Plack-Request/cookie.t line 64.
#          got: 'Bar,'
#     expected: 'Bar'
ok 15
1..15

[kazeburo]

Remove this test

$app = sub {
    my $warn = 0;
    local $SIG{__WARN__} = sub { $warn++ };

    my $req = Plack::Request->new(shift);

    is $req->cookies->{Foo}, 'Bar';
    is $warn, 0;

    $req->new_response(200)->finalize;
};

test_psgi $app, sub {
    my $cb  = shift;
    my $req = HTTP::Request->new(GET => "/");
    $req->header(Cookie => 'Foo=Bar,; Bar=Baz;');
    $cb->($req);
};

or change like this

diff --git a/t/Plack-Request/cookie.t b/t/Plack-Request/cookie.t
index 65b94e7..42d2d36 100644
--- a/t/Plack-Request/cookie.t
+++ b/t/Plack-Request/cookie.t
@@ -61,7 +61,7 @@ $app = sub {

     my $req = Plack::Request->new(shift);

-    is $req->cookies->{Foo}, 'Bar';
+    is $req->cookies->{Foo}, 'Bar,';
     is $warn, 0;

     $req->new_response(200)->finalize;

[miyagawa]

Are you fixing Cookie::Baker?

[kazeburo]

Fixed but not released yet

kazeburo/Cookie-Baker@b923892