Georg Brandl added the comment: Well, with this change you can again (e.g.) pass
"Set-cookie: foo=bar" which isn't a valid cookie. It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a seemingly valid one. IMO this is questionable behavior of the kind that can enable exploits, which is also why it was disallowed by the fix of the first vulnerability. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22796> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com