don't strip leading = when parsing cookie

davidism · davidism · commit 8c2b4b82d0ca · 2023-02-14T07:34:28.000-08:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -19,6 +19,8 @@ Unreleased
     :issue:`2529`
 -   ``LimitedStream.read`` works correctly when wrapping a stream that may not return
     the requested size in one ``read`` call. :issue:`2558`
+-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
+    rather than stripping the leading ``==``.
 
 
 Version 2.2.2
diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
@@ -34,7 +34,7 @@
 _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
 _cookie_re = re.compile(
     rb"""
-    (?P<key>[^=;]+)
+    (?P<key>[^=;]*)
     (?:\s*=\s*
         (?P<val>
             "(?:[^\\"]|\\.)*" |
@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]:
     """Lowlevel cookie parsing facility that operates on bytes."""
     i = 0
     n = len(b)
+    b += b";"
 
     while i < n:
-        match = _cookie_re.search(b + b";", i)
+        match = _cookie_re.match(b, i)
+
         if not match:
             break
 
-        key = match.group("key").strip()
-        value = match.group("val") or b""
         i = match.end(0)
+        key = match.group("key").strip()
+
+        if not key:
+            continue
 
+        value = match.group("val") or b""
         yield key, _cookie_unquote(value)
 
 
diff --git a/src/werkzeug/sansio/http.py b/src/werkzeug/sansio/http.py
@@ -126,10 +126,6 @@ def parse_cookie(
     def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
         for key, val in _cookie_parse_impl(cookie):  # type: ignore
             key_str = _to_str(key, charset, errors, allow_none_charset=True)
-
-            if not key_str:
-                continue
-
             val_str = _to_str(val, charset, errors, allow_none_charset=True)
             yield key_str, val_str
 
diff --git a/tests/test_http.py b/tests/test_http.py
@@ -412,7 +412,8 @@ def test_is_resource_modified_for_range_requests(self):
     def test_parse_cookie(self):
         cookies = http.parse_cookie(
             "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;"
-            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
+            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
+            "==__Host-eq=bad;__Host-eq=good;"
         )
         assert cookies.to_dict() == {
             "CP": "null*",
@@ -423,6 +424,7 @@ def test_parse_cookie(self):
             "fo234{": "bar",
             "blub": "Blah",
             '"__Secure-c"': "d",
+            "__Host-eq": "good",
         }
 
     def test_dump_cookie(self):
