From 3ac6677d2d249412fcc95668d158ddefd95213d9 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Sat, 24 Oct 2020 11:10:52 -0400
Subject: [PATCH] Sanitize cookies

If an invalid cookie from another site breaks the cookie jar,
then sanitize it.

https://bugs.python.org/issue31456

Performance enhancement through setting a header in javascript in
lieu of cookie parsing seems a wise move for the future.
---
 confluent_server/confluent/httpapi.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index a8d96329..c4a52a28 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -286,7 +286,8 @@ def _authorize_request(env, operation):
     if 'HTTP_COOKIE' in env:
         #attempt to use the cookie.  If it matches
         cc = RobustCookie()
-        cc.load(env['HTTP_COOKIE'])
+        sanitized = '; '.join([x.strip().replace(' ', '_') for x in env['HTTP_COOKIE'].split(';')])
+        cc.load(sanitized)
         if 'confluentsessionid' in cc:
             sessionid = cc['confluentsessionid'].value
             sessid = sessionid