Issue 2988: Invalid cookies crash web applications (original) (raw)
Created on 2008-05-28 08:31 by techtonik, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Messages (5) | ||
|---|---|---|
| msg67443 - (view) | Author: anatoly techtonik (techtonik) | Date: 2008-05-28 08:31 |
| Current BaseCookie and SimpleCookie may crash web-application when running on the same domain with other scripts. Other scripts may create invalid cookies that lead to Cookie.CookieError: Illegal key value in Python. This created problems in: trac: http://trac.edgewall.org/ticket/2256 mailman: http://bugs.python.org/issue472646 roundup: http://svn.python.org/view/tracker/roundup-src/roundup/cgi/client.py?rev=61320&r1=61200&r2=61320 Test case consists of two scripts - one in PHP and one in Python where the former crashes the latter when run on the same domain through IE6: ------[cookie.php] ------------------ ------[cookie.py]- #!/usr/bin/env python import Cookie from os import environ as env C = Cookie.SimpleCookie() C["CUX2"] = 123 C["CUX2"]['expires'] = 60*60*60 print "Content-Type: text/html" print C print # blank line, end of headers print env["HTTP_COOKIE"] G = Cookie.SimpleCookie(env["HTTP_COOKIE"]) print " Next: " print G ------------------ What would be the pythonic way to avoid people making their own wrappers when stumbling upon the problem? 1. Patch *Cookie classes to display warning about invalid Cookie and continue instead of crashing with CookieError 2. Add SilentCookie that ignores invalid Cookies 3. Patch BaseCookie.load method to include optional attribute to ignore errors. Should it be turned on by default (like in roundup code above) 4. Add warning to BaseCookie.load documentation about the pitfall and the need to catch CookieError here http://docs.python.org/dev/library/cookie.html#Cookie.BaseCookie.load |
||
| msg67475 - (view) | Author: Georg Brandl (georg.brandl) *  |
Date: 2008-05-29 07:39 |
| I've added a note in the docs in r63781. In the spirit of "errors should never pass silently", this seems to me like the best thing to do. | ||
| msg169205 - (view) | Author: Wichert Akkerman (wichert) | Date: 2012-08-27 15:55 |
| I do not agree that this is a fix. Effectively this means that if a user has a single cookie that SimpleCookie does not like a webapp can not use any cookie at all. Imho at a minimum there should be a way to tell SimpleCookie to ignore invalid cookies. | ||
| msg169468 - (view) | Author: Shish (shish2k) | Date: 2012-08-30 15:41 |
| I'm having problems with this too -- a third party app on the same domain as me has set an invalid cookie, and now my app crashes horribly :( (And even if cherrypy handled the exception and didn't crash completely, it would still not be able to use any cookies) | ||
| msg169469 - (view) | Author: R. David Murray (r.david.murray) * |
Date: 2012-08-30 15:47 |
| There is some extensive (and somewhat contentious) discussion of this on issue 2193. I myself am sympathetic to having a mode where parsing errors are handled in a more convenient fashion, but it would pretty much have to be a new feature. |
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:35 | admin | set | github: 47237 |
| 2012-08-30 15:47:49 | r.david.murray | set | nosy: + r.david.murraymessages: + |
| 2012-08-30 15:41:43 | shish2k | set | nosy: + shish2kmessages: + |
| 2012-08-27 15:56:13 | wichert | set | versions: + Python 2.7 |
| 2012-08-27 15:55:04 | wichert | set | nosy: + wichertmessages: + |
| 2008-05-29 07:39:05 | georg.brandl | set | status: open -> closedresolution: fixedmessages: + nosy: + georg.brandl |
| 2008-05-28 08:31:24 | techtonik | create |