➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2008-05-28 08:31 by techtonik, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Messages (5) | |||
|---|---|---|---|
| msg67443 - (view) | Author: anatoly techtonik (techtonik) | Date: 2008-05-28 08:31 | |
Current BaseCookie and SimpleCookie may crash web-application when
running on the same domain with other scripts. Other scripts may create
invalid cookies that lead to Cookie.CookieError: Illegal key value in
Python.
This created problems in:
trac: http://trac.edgewall.org/ticket/2256
mailman: http://bugs.python.org/issue472646
roundup:
http://svn.python.org/view/tracker/roundup-src/roundup/cgi/client.py?rev=61320&r1=61200&r2=61320
Test case consists of two scripts - one in PHP and one in Python where
the former crashes the latter when run on the same domain through IE6:
------[cookie.php]
<?php
setcookie("cook:test", "php set", time()+60*60);
print_r($_COOKIE);
?>
------------------
------[cookie.py]-
#!/usr/bin/env python
import Cookie
from os import environ as env
C = Cookie.SimpleCookie()
C["CUX2"] = 123
C["CUX2"]['expires'] = 60*60*60
print "Content-Type: text/html"
print C
print # blank line, end of headers
print env["HTTP_COOKIE"]
G = Cookie.SimpleCookie(env["HTTP_COOKIE"])
print "<br/>Next: "
print G
------------------
What would be the pythonic way to avoid people making their own wrappers
when stumbling upon the problem?
1. Patch *Cookie classes to display warning about invalid Cookie and
continue instead of crashing with CookieError
2. Add SilentCookie that ignores invalid Cookies
3. Patch BaseCookie.load method to include optional attribute to ignore
errors. Should it be turned on by default (like in roundup code above)
4. Add warning to BaseCookie.load documentation about the pitfall and
the need to catch CookieError here
http://docs.python.org/dev/library/cookie.html#Cookie.BaseCookie.load
|
|||
| msg67475 - (view) | Author: Georg Brandl (georg.brandl) *  |
Date: 2008-05-29 07:39 | |
I've added a note in the docs in r63781. In the spirit of "errors should never pass silently", this seems to me like the best thing to do. |
|||
| msg169205 - (view) | Author: Wichert Akkerman (wichert) | Date: 2012-08-27 15:55 | |
I do not agree that this is a fix. Effectively this means that if a user has a single cookie that SimpleCookie does not like a webapp can not use any cookie at all. Imho at a minimum there should be a way to tell SimpleCookie to ignore invalid cookies. |
|||
| msg169468 - (view) | Author: Shish (shish2k) | Date: 2012-08-30 15:41 | |
I'm having problems with this too -- a third party app on the same domain as me has set an invalid cookie, and now my app crashes horribly :( (And even if cherrypy handled the exception and didn't crash completely, it would still not be able to use any cookies) |
|||
| msg169469 - (view) | Author: R. David Murray (r.david.murray) * |
Date: 2012-08-30 15:47 | |
There is some extensive (and somewhat contentious) discussion of this on issue 2193. I myself am sympathetic to having a mode where parsing errors are handled in a more convenient fashion, but it would pretty much have to be a new feature. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:35 | admin | set | github: 47237 |
| 2012-08-30 15:47:49 | r.david.murray | set | nosy:
+ r.david.murray messages: + msg169469 |
| 2012-08-30 15:41:43 | shish2k | set | nosy:
+ shish2k messages: + msg169468 |
| 2012-08-27 15:56:13 | wichert | set | versions: + Python 2.7 |
| 2012-08-27 15:55:04 | wichert | set | nosy:
+ wichert messages: + msg169205 |
| 2008-05-29 07:39:05 | georg.brandl | set | status: open -> closed resolution: fixed messages: + msg67475 nosy: + georg.brandl |
| 2008-05-28 08:31:24 | techtonik | create | |