Title: Invalid cookies crash web applications
Type: Stage:
Components: Extension Modules Versions: Python 3.0, Python 2.7, Python 2.6
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: georg.brandl, r.david.murray, shish2k, techtonik, wichert
Priority: normal Keywords:

Created on 2008-05-28 08:31 by techtonik, last changed 2012-08-30 15:47 by r.david.murray. This issue is now closed.

Messages (5)
msg67443 - (view) Author: anatoly techtonik (techtonik) Date: 2008-05-28 08:31
Current BaseCookie and SimpleCookie may crash web-application when
running on the same domain with other scripts. Other scripts may create
invalid cookies that lead to Cookie.CookieError: Illegal key value in

This created problems in:

Test case consists of two scripts - one in PHP and one in Python where
the former crashes the latter when run on the same domain through IE6:

setcookie("cook:test", "php set", time()+60*60);



#!/usr/bin/env python

import Cookie
from os import environ as env

C = Cookie.SimpleCookie()
C["CUX2"] = 123
C["CUX2"]['expires'] = 60*60*60

print "Content-Type: text/html"
print C
print # blank line, end of headers

print env["HTTP_COOKIE"]
G = Cookie.SimpleCookie(env["HTTP_COOKIE"])

print "<br/>Next: "
print G

What would be the pythonic way to avoid people making their own wrappers
when stumbling upon the problem?
1. Patch *Cookie classes to display warning about invalid Cookie and
continue instead of crashing with CookieError
2. Add SilentCookie that ignores invalid Cookies
3. Patch BaseCookie.load method to include optional attribute to ignore
errors. Should it be turned on by default (like in roundup code above)
4. Add warning to BaseCookie.load documentation about the pitfall and
the need to catch CookieError here
msg67475 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2008-05-29 07:39
I've added a note in the docs in r63781. In the spirit of "errors should
never pass silently", this seems to me like the best thing to do.
msg169205 - (view) Author: Wichert Akkerman (wichert) Date: 2012-08-27 15:55
I do not agree that this is a fix. Effectively this means that if a user has a single cookie that SimpleCookie does not like a webapp can not use any cookie at all. Imho at a minimum there should be a way to tell SimpleCookie to ignore invalid cookies.
msg169468 - (view) Author: Shish (shish2k) Date: 2012-08-30 15:41
I'm having problems with this too -- a third party app on the same domain as me has set an invalid cookie, and now my app crashes horribly :(

(And even if cherrypy handled the exception and didn't crash completely, it would still not be able to use any cookies)
msg169469 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2012-08-30 15:47
There is some extensive (and somewhat contentious) discussion of this on issue 2193.  I myself am sympathetic to having a mode where parsing errors are handled in a more convenient fashion, but it would pretty much have to be a new feature.
Date User Action Args
2012-08-30 15:47:49r.david.murraysetnosy: + r.david.murray
messages: + msg169469
2012-08-30 15:41:43shish2ksetnosy: + shish2k
messages: + msg169468
2012-08-27 15:56:13wichertsetversions: + Python 2.7
2012-08-27 15:55:04wichertsetnosy: + wichert
messages: + msg169205
2008-05-29 07:39:05georg.brandlsetstatus: open -> closed
resolution: fixed
messages: + msg67475
nosy: + georg.brandl
2008-05-28 08:31:24techtonikcreate