Author georg.brandl
Recipients Arfrever, Tim.Graham, berker.peksag, georg.brandl, pitrou, r.david.murray
Date 2014-11-04.17:38:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1415122738.96.0.735349785424.issue22796@psf.upfronthosting.co.za>
In-reply-to
Content
Well, with this change you can again (e.g.) pass

"Set-cookie: foo=bar"

which isn't a valid cookie.  It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a seemingly valid one.

IMO this is questionable behavior of the kind that can enable exploits, which is also why it was disallowed by the fix of the first vulnerability.
History
Date User Action Args
2014-11-04 17:38:58georg.brandlsetrecipients: + georg.brandl, pitrou, Arfrever, r.david.murray, berker.peksag, Tim.Graham
2014-11-04 17:38:58georg.brandlsetmessageid: <1415122738.96.0.735349785424.issue22796@psf.upfronthosting.co.za>
2014-11-04 17:38:58georg.brandllinkissue22796 messages
2014-11-04 17:38:58georg.brandlcreate