Martin Panter added the comment:
The patch at Issue 25228 should partially do what Demian proposed. Anyway, I
think Issue 17340 is basically about the same problem.
--
nosy: +martin.panter
resolution: -> duplicate
status: open -> closed
superseder: -> Handle malformed cookie
Changes by Tim Pierce twpie...@gmail.com:
--
nosy: +Tim Pierce
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22983
___
___
Python-bugs-list
Changes by Waldemar Parzonka waldemar.parzo...@gmail.com:
--
nosy: +Waldemar.Parzonka
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22983
___
___
New submission from Demian Brecht:
As found in #22931, if an invalid cookie value is found while parsing, the rest
of the cookie is silently ignored. The expected behavior is undefined in RFC
6265, but does state that if unexpected values are encountered that user agents
MAY ignore an entire
Antoine Pitrou added the comment:
Well, remember that we recently made parsing stricter in response to a security
issue...
--
nosy: +orsenthil, pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22983
Demian Brecht added the comment:
Sure, but this is in regards to the initial matching, not the parsing. Because
the pattern expects RFC conformity, in this cookie string:
Cookie: a=b; c=[; d=r; f=h
The only matching parts will be:
Cookie: a=b;
The rest will be discarded. What I'm proposing
Demian Brecht added the comment:
Sorry, bad example. Replace [ in the previous example with any actually
invalid character.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22983
___