This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author techtonik
Recipients techtonik
Date 2008-05-28.08:31:21
SpamBayes Score 0.001993588
Marked as misclassified No
Message-id <1211963484.7.0.388679808819.issue2988@psf.upfronthosting.co.za>
In-reply-to
Content
Current BaseCookie and SimpleCookie may crash web-application when
running on the same domain with other scripts. Other scripts may create
invalid cookies that lead to Cookie.CookieError: Illegal key value in
Python.

This created problems in:
    trac: http://trac.edgewall.org/ticket/2256
    mailman: http://bugs.python.org/issue472646
    roundup:
http://svn.python.org/view/tracker/roundup-src/roundup/cgi/client.py?rev=61320&r1=61200&r2=61320

Test case consists of two scripts - one in PHP and one in Python where
the former crashes the latter when run on the same domain through IE6:
------[cookie.php]
<?php

setcookie("cook:test", "php set", time()+60*60);

print_r($_COOKIE);

?>
------------------

------[cookie.py]-
#!/usr/bin/env python

import Cookie
from os import environ as env

C = Cookie.SimpleCookie()
C["CUX2"] = 123
C["CUX2"]['expires'] = 60*60*60

print "Content-Type: text/html"
print C
print # blank line, end of headers

print env["HTTP_COOKIE"]
G = Cookie.SimpleCookie(env["HTTP_COOKIE"])

print "<br/>Next: "
print G
------------------


What would be the pythonic way to avoid people making their own wrappers
when stumbling upon the problem?
1. Patch *Cookie classes to display warning about invalid Cookie and
continue instead of crashing with CookieError
2. Add SilentCookie that ignores invalid Cookies
3. Patch BaseCookie.load method to include optional attribute to ignore
errors. Should it be turned on by default (like in roundup code above)
4. Add warning to BaseCookie.load documentation about the pitfall and
the need to catch CookieError here 
http://docs.python.org/dev/library/cookie.html#Cookie.BaseCookie.load
History
Date User Action Args
2008-05-28 08:31:25techtoniksetspambayes_score: 0.00199359 -> 0.001993588
recipients: + techtonik
2008-05-28 08:31:24techtoniksetspambayes_score: 0.00199359 -> 0.00199359
messageid: <1211963484.7.0.388679808819.issue2988@psf.upfronthosting.co.za>
2008-05-28 08:31:23techtoniklinkissue2988 messages
2008-05-28 08:31:21techtonikcreate