Message 260028 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	collinanderson
Recipients	Pathangi Jatinshravan, Tim.Graham, collinanderson, harris, martin.panter, pitrou, r.david.murray
Date	2016-02-10.18:12:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1455127972.02.0.303234100231.issue25228@psf.upfronthosting.co.za>
In-reply-to

Content
The issue I'm currently running into, is that although browsers correctly ignore invalid Set-Cookie values, they allow 'any CHAR except CTLs or ";"' in cookie values set via document.cookie. So, if you say document.cookie = 'key=va"lue; path=/', the browser will happily pass 'key=va"lue;' to the server on future requests. So, I like the behavior of this patch, which skips over these invalid cookies and continues parsing. I've cleaned the patch up a little, but it should be the same logically.

The issue I'm currently running into, is that although browsers correctly ignore invalid Set-Cookie values, they allow 'any CHAR except CTLs or ";"' in cookie values set via document.cookie.

So, if you say document.cookie = 'key=va"lue; path=/', the browser will happily pass 'key=va"lue;' to the server on future requests.

So, I like the behavior of this patch, which skips over these invalid cookies and continues parsing. I've cleaned the patch up a little, but it should be the same logically.

History
Date	User	Action	Args
2016-02-10 18:12:52	collinanderson	set	recipients: + collinanderson, pitrou, r.david.murray, martin.panter, Tim.Graham, Pathangi Jatinshravan, harris
2016-02-10 18:12:52	collinanderson	set	messageid: <1455127972.02.0.303234100231.issue25228@psf.upfronthosting.co.za>
2016-02-10 18:12:51	collinanderson	link	issue25228 messages
2016-02-10 18:12:51	collinanderson	create