This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Kyle Graehl, demian.brecht, martin.panter, remi.lapeyre, riklaunim
Date 2019-01-26.12:15:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1548504910.63.0.772572825822.issue23930@roundup.psfhosted.org>
In-reply-to
Content 
I think making a comma start a new cookie is dangerous, and perhaps this proposal should be rejected.

I’m not an expert on web programming, but this reminds me of some security problems that already affected Python: <https://translate.google.com/translate?u=https://habr.com/en/post/272187/>. In a web page, Java Script could set a cookie with a single name and a comma in the value.

document.cookie = 'a=b,csrftoken=INJECTED'

Currently, Python in the server would parse that the way the script intended:

>>> C = BaseCookie('a=b,csrftoken=INJECTED')
>>> C['a'].value
'b,csrftoken=INJECTED'
>>> C['csrftoken'].value
KeyError: 'csrftoken'

But with the proposed change, Python would be tricked into parsing it as two separate “morsels”:

>>> C['csrftoken'].value
'INJECTED'
History
Date User Action Args
2019-01-26 12:15:11martin.pantersetrecipients: + martin.panter, demian.brecht, riklaunim, Kyle Graehl, remi.lapeyre
2019-01-26 12:15:10martin.pantersetmessageid: <1548504910.63.0.772572825822.issue23930@roundup.psfhosted.org>
2019-01-26 12:15:10martin.panterlinkissue23930 messages
2019-01-26 12:15:10martin.pantercreate