Martin Panter <vadmium...@gmail.com> added the comment: I think making a comma start a new cookie is dangerous, and perhaps this proposal should be rejected.
I’m not an expert on web programming, but this reminds me of some security problems that already affected Python: <https://translate.google.com/translate?u=https://habr.com/en/post/272187/>. In a web page, Java Script could set a cookie with a single name and a comma in the value. document.cookie = 'a=b,csrftoken=INJECTED' Currently, Python in the server would parse that the way the script intended: >>> C = BaseCookie('a=b,csrftoken=INJECTED') >>> C['a'].value 'b,csrftoken=INJECTED' >>> C['csrftoken'].value KeyError: 'csrftoken' But with the proposed change, Python would be tricked into parsing it as two separate “morsels”: >>> C['csrftoken'].value 'INJECTED' ---------- nosy: +martin.panter type: behavior -> enhancement _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue23930> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
