Message230645
Well, with this change you can again (e.g.) pass
"Set-cookie: foo=bar"
which isn't a valid cookie. It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a seemingly valid one.
IMO this is questionable behavior of the kind that can enable exploits, which is also why it was disallowed by the fix of the first vulnerability. |
|
Date |
User |
Action |
Args |
2014-11-04 17:38:58 | georg.brandl | set | recipients:
+ georg.brandl, pitrou, Arfrever, r.david.murray, berker.peksag, Tim.Graham |
2014-11-04 17:38:58 | georg.brandl | set | messageid: <1415122738.96.0.735349785424.issue22796@psf.upfronthosting.co.za> |
2014-11-04 17:38:58 | georg.brandl | link | issue22796 messages |
2014-11-04 17:38:58 | georg.brandl | create | |
|