New submission from anatoly techtonik <[EMAIL PROTECTED]>: Current BaseCookie and SimpleCookie may crash web-application when running on the same domain with other scripts. Other scripts may create invalid cookies that lead to Cookie.CookieError: Illegal key value in Python.
This created problems in: trac: http://trac.edgewall.org/ticket/2256 mailman: http://bugs.python.org/issue472646 roundup: http://svn.python.org/view/tracker/roundup-src/roundup/cgi/client.py?rev=61320&r1=61200&r2=61320 Test case consists of two scripts - one in PHP and one in Python where the former crashes the latter when run on the same domain through IE6: ------[cookie.php] <?php setcookie("cook:test", "php set", time()+60*60); print_r($_COOKIE); ?> ------------------ ------[cookie.py]- #!/usr/bin/env python import Cookie from os import environ as env C = Cookie.SimpleCookie() C["CUX2"] = 123 C["CUX2"]['expires'] = 60*60*60 print "Content-Type: text/html" print C print # blank line, end of headers print env["HTTP_COOKIE"] G = Cookie.SimpleCookie(env["HTTP_COOKIE"]) print "<br/>Next: " print G ------------------ What would be the pythonic way to avoid people making their own wrappers when stumbling upon the problem? 1. Patch *Cookie classes to display warning about invalid Cookie and continue instead of crashing with CookieError 2. Add SilentCookie that ignores invalid Cookies 3. Patch BaseCookie.load method to include optional attribute to ignore errors. Should it be turned on by default (like in roundup code above) 4. Add warning to BaseCookie.load documentation about the pitfall and the need to catch CookieError here http://docs.python.org/dev/library/cookie.html#Cookie.BaseCookie.load ---------- components: Extension Modules messages: 67443 nosy: techtonik severity: normal status: open title: Invalid cookies crash web applications versions: Python 2.6, Python 3.0 _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue2988> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com