This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2009年01月06日 21:44 by noufal, last changed 2022年04月11日 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| cookie.patch | noufal, 2009年01月06日 21:44 | Patch to fix js_output for cookies with an unquoted " character | ||
| cookie-2.patch | vstinner, 2009年01月07日 09:37 | |||
| issue4860.diff | orsenthil, 2009年04月01日 23:33 | |||
| Messages (8) | |||
|---|---|---|---|
| msg79292 - (view) | Author: Noufal (noufal) | Date: 2009年01月06日 21:44 | |
If a cookie is created with a " character in the content, the js_output
which is emitted is bad javascript. eg.
>>> import Cookie
>>> c=Cookie.Cookie('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
>>> print c
Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme; Version=1
>>> print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="WILE_E_COYOTE"; Path=/acme; Version=1";
// end hiding -->
</script>
>>>
Also, the test_cookie tests (test_load) explicitly checks for this
(wrong) output.
I have attached a patch that seems to fix this or at the very least
produces the same Cookie settings whether the cookie is set using the
header or using javascript (I've verified this on firefox on Linux).
|
|||
| msg79312 - (view) | Author: STINNER Victor (vstinner) * (Python committer) | Date: 2009年01月07日 09:37 | |
The patch looks correct but it breaks the unit test: updated patch fixes Lib/test/test_cookie.py. |
|||
| msg79336 - (view) | Author: Noufal (noufal) | Date: 2009年01月07日 15:18 | |
A lot of the cookie tests need to be updated. A separate bug was filed regarding this. http://bugs.python.org/issue3788. I'm working on that now and will apply your patch there as well. |
|||
| msg79339 - (view) | Author: STINNER Victor (vstinner) * (Python committer) | Date: 2009年01月07日 15:25 | |
The characters <>& should also be escaped. |
|||
| msg79909 - (view) | Author: Noufal (noufal) | Date: 2009年01月15日 18:12 | |
What's wrong with < and >? I can see the issues with ; though. |
|||
| msg79915 - (view) | Author: STINNER Victor (vstinner) * (Python committer) | Date: 2009年01月15日 19:53 | |
> What's wrong with < and >?
>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="</script>"";
// end hiding -->
</script>
It allows HTML/Javascript injection. Well, Python 2.5 already displays
a warning:
/usr/lib/python2.5/Cookie.py:710: DeprecationWarning:
Cookie/SmartCookie class is insecure; do not use it
The right fix is maybe to remove deprecated and unsecure function!
|
|||
| msg85121 - (view) | Author: Senthil Kumaran (orsenthil) * (Python committer) | Date: 2009年04月01日 23:33 | |
Cookie.Cookie is deprecated in Py2k. In Py3k, it is http.cookies.SimpleCookie. The bug was present in Py3k, the attached patch fixes it. |
|||
| msg85149 - (view) | Author: Senthil Kumaran (orsenthil) * (Python committer) | Date: 2009年04月02日 03:04 | |
Because SimpleCookie class is still usable (that is not deprecated), it makes sense to back port to Py2.7. Applied the patches in revision 71030 and r71029. Thanks. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:56:43 | admin | set | github: 49110 |
| 2009年04月02日 03:04:54 | orsenthil | set | status: open -> closed messages: + msg85149 versions: + Python 3.1 |
| 2009年04月01日 23:33:13 | orsenthil | set | files:
+ issue4860.diff nosy: + orsenthil messages: + msg85121 assignee: orsenthil resolution: accepted |
| 2009年01月15日 19:53:55 | vstinner | set | messages: + msg79915 |
| 2009年01月15日 18:12:29 | noufal | set | messages: + msg79909 |
| 2009年01月07日 15:25:14 | vstinner | set | messages: + msg79339 |
| 2009年01月07日 15:18:14 | noufal | set | messages: + msg79336 |
| 2009年01月07日 09:37:19 | vstinner | set | files:
+ cookie-2.patch nosy: + vstinner messages: + msg79312 |
| 2009年01月06日 21:44:10 | noufal | create | |