Commit Graph

14 Commits

Author SHA1 Message Date
Antoine Pitrou b1e36073cd Issue #22796: HTTP cookie parsing is now stricter, in order to protect against potential injection attacks. 2014-11-21 01:20:57 +01:00
Serhiy Storchaka 8cf7c1cff0 Issue #22775: Fixed unpickling of http.cookies.SimpleCookie with protocol 2
and above.  Patch by Tim Graham.
2014-11-02 22:18:25 +02:00
Antoine Pitrou 7d0b8f95e7 Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
2014-09-17 00:23:55 +02:00
R David Murray cd0f74b1e0 #16611: BaseCookie now parses 'secure' and 'httponly' flags.
Previously it generated them if they were given a value, but completely
ignored them if they were present in the string passed in to be parsed.  Now
if the flag appears on a cookie, the corresponding Morsel key will reference a
True value.  Other pre-existing behavior is retained in this maintenance
patch: if the source contains something like 'secure=foo', morsel['secure']
will return 'foo'.  Since such a value doesn't round trip and never did (and
would be a surprising occurrence) a subsequent non-bug-fix patch may change
this behavior.

Inspired by a patch from Julien Phalip, who reviewed this one.
2013-08-25 11:09:02 -04:00
Senthil Kumaran 0b943a18ef Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:06:51 +08:00
Senthil Kumaran 00c2ec282e Issue #14426: Correct the Date format in Expires attribute of Set-Cookie. Patch by Federico Reghenzani and Müte Invert 2012-05-20 12:05:16 +08:00
Senthil Kumaran 3a441c1bed Fix Issue2193 - Allow ":" character in Cookie NAME values 2012-04-22 09:19:04 +08:00
R. David Murray e05ca2aff4 #9824: encode , and ; in cookie values so that browsers don't split on them
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies.  Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.
2010-12-28 18:54:13 +00:00
Georg Brandl b16e38b825 #8826: the "expires" attribute value is a date string with spaces, but apparently not all user-agents put it in quotes. Handle that as a special case. 2010-08-01 09:06:34 +00:00
Georg Brandl 76e155a157 #3788: more tests for http.cookies, now at 95% coverage. Also bring coding style in the module up to PEP 8, where it does not break backwards compatibility. 2010-07-31 21:04:00 +00:00
Brett Cannon d3791ed450 Fix the warnings filter usage in test_http_cookies. 2010-03-20 21:51:10 +00:00
Senthil Kumaran 3e2ea79bda Fixing the issue4860. Escaping the embedded '"' in the js_output method of Morsel class. 2009-04-02 03:02:03 +00:00
Georg Brandl 6101395e74 Remove deprecated SmartCookie and SerialCookie classes. 2008-05-28 15:56:30 +00:00
Georg Brandl 2442015af2 Create http package. #2883. 2008-05-26 16:32:26 +00:00