Message334389
I think making a comma start a new cookie is dangerous, and perhaps this proposal should be rejected.
I’m not an expert on web programming, but this reminds me of some security problems that already affected Python: <https://translate.google.com/translate?u=https://habr.com/en/post/272187/>. In a web page, Java Script could set a cookie with a single name and a comma in the value.
document.cookie = 'a=b,csrftoken=INJECTED'
Currently, Python in the server would parse that the way the script intended:
>>> C = BaseCookie('a=b,csrftoken=INJECTED')
>>> C['a'].value
'b,csrftoken=INJECTED'
>>> C['csrftoken'].value
KeyError: 'csrftoken'
But with the proposed change, Python would be tricked into parsing it as two separate “morsels”:
>>> C['csrftoken'].value
'INJECTED' |
|
Date |
User |
Action |
Args |
2019-01-26 12:15:11 | martin.panter | set | recipients:
+ martin.panter, demian.brecht, riklaunim, Kyle Graehl, remi.lapeyre |
2019-01-26 12:15:10 | martin.panter | set | messageid: <1548504910.63.0.772572825822.issue23930@roundup.psfhosted.org> |
2019-01-26 12:15:10 | martin.panter | link | issue23930 messages |
2019-01-26 12:15:10 | martin.panter | create | |
|