This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Pathangi Jatinshravan, Tim.Graham, harris, martin.panter, pitrou, r.david.murray
Date 2016-02-08.07:20:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Looking at this a second time, I think I have figured out what the security report was about. Before the fix (before revision 270f61ec1157), an attacker could trick the parser into accepting a separate key=value cookie “morsel”, when it was supposed to be part of some other cookie value. Suppose the “c=d” text was meant to be associated with the “message” key. Before the security fix, “c=d” is separated:

>>> SimpleCookie('a=b; messages=[""]c=d;')
<SimpleCookie: a='b' c='d'>

With the fix applied, we now silently abort the parsing, and there is no spurious “c” key:

>>> SimpleCookie('a=b; messages=[""]c=d;')
<SimpleCookie: a='b'>

This also seems to be described by Sergey Bobrov in Russian at <>.

Looking at the proposed patch again, I think the fix might be okay. Some specifications for cookies allow semicolons to be quoted or escaped, and I was a bit worried that this might be a problem. But all the scenarios I can imagine would be no worse with the patch compared to without it.
Date User Action Args
2016-02-08 07:20:30martin.pantersetrecipients: + martin.panter, pitrou, r.david.murray, Tim.Graham, Pathangi Jatinshravan, harris
2016-02-08 07:20:30martin.pantersetmessageid: <>
2016-02-08 07:20:30martin.panterlinkissue25228 messages
2016-02-08 07:20:29martin.pantercreate