[issue2988] Invalid cookies crash web applications
Shish added the comment: I'm having problems with this too -- a third party app on the same domain as me has set an invalid cookie, and now my app crashes horribly :( (And even if cherrypy handled the exception and didn't crash completely, it would still not be able to use any cookies) -- nosy: +shish2k ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2988] Invalid cookies crash web applications
R. David Murray added the comment: There is some extensive (and somewhat contentious) discussion of this on issue 2193. I myself am sympathetic to having a mode where parsing errors are handled in a more convenient fashion, but it would pretty much have to be a new feature. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2988] Invalid cookies crash web applications
Wichert Akkerman added the comment: I do not agree that this is a fix. Effectively this means that if a user has a single cookie that SimpleCookie does not like a webapp can not use any cookie at all. Imho at a minimum there should be a way to tell SimpleCookie to ignore invalid cookies. -- nosy: +wichert ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2988] Invalid cookies crash web applications
Changes by Wichert Akkerman wich...@wiggy.net: -- versions: +Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2988] Invalid cookies crash web applications
Georg Brandl [EMAIL PROTECTED] added the comment: I've added a note in the docs in r63781. In the spirit of errors should never pass silently, this seems to me like the best thing to do. -- nosy: +georg.brandl resolution: - fixed status: open - closed ___ Python tracker [EMAIL PROTECTED] http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2988] Invalid cookies crash web applications
New submission from anatoly techtonik [EMAIL PROTECTED]: Current BaseCookie and SimpleCookie may crash web-application when running on the same domain with other scripts. Other scripts may create invalid cookies that lead to Cookie.CookieError: Illegal key value in Python. This created problems in: trac: http://trac.edgewall.org/ticket/2256 mailman: http://bugs.python.org/issue472646 roundup: http://svn.python.org/view/tracker/roundup-src/roundup/cgi/client.py?rev=61320r1=61200r2=61320 Test case consists of two scripts - one in PHP and one in Python where the former crashes the latter when run on the same domain through IE6: --[cookie.php] ?php setcookie(cook:test, php set, time()+60*60); print_r($_COOKIE); ? -- --[cookie.py]- #!/usr/bin/env python import Cookie from os import environ as env C = Cookie.SimpleCookie() C[CUX2] = 123 C[CUX2]['expires'] = 60*60*60 print Content-Type: text/html print C print # blank line, end of headers print env[HTTP_COOKIE] G = Cookie.SimpleCookie(env[HTTP_COOKIE]) print br/Next: print G -- What would be the pythonic way to avoid people making their own wrappers when stumbling upon the problem? 1. Patch *Cookie classes to display warning about invalid Cookie and continue instead of crashing with CookieError 2. Add SilentCookie that ignores invalid Cookies 3. Patch BaseCookie.load method to include optional attribute to ignore errors. Should it be turned on by default (like in roundup code above) 4. Add warning to BaseCookie.load documentation about the pitfall and the need to catch CookieError here http://docs.python.org/dev/library/cookie.html#Cookie.BaseCookie.load -- components: Extension Modules messages: 67443 nosy: techtonik severity: normal status: open title: Invalid cookies crash web applications versions: Python 2.6, Python 3.0 ___ Python tracker [EMAIL PROTECTED] http://bugs.python.org/issue2988 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
