Message 230645 - Python tracker

Message230645

Author	georg.brandl
Recipients	Arfrever, Tim.Graham, berker.peksag, georg.brandl, pitrou, r.david.murray
Date	2014-11-04.17:38:58
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1415122738.96.0.735349785424.issue22796@psf.upfronthosting.co.za>
In-reply-to

Content
Well, with this change you can again (e.g.) pass "Set-cookie: foo=bar" which isn't a valid cookie. It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a seemingly valid one. IMO this is questionable behavior of the kind that can enable exploits, which is also why it was disallowed by the fix of the first vulnerability.

Content

Well, with this change you can again (e.g.) pass

"Set-cookie: foo=bar"

which isn't a valid cookie.  It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a seemingly valid one.

IMO this is questionable behavior of the kind that can enable exploits, which is also why it was disallowed by the fix of the first vulnerability.

History
Date	User	Action	Args
2014-11-04 17:38:58	georg.brandl	set	recipients: + georg.brandl, pitrou, Arfrever, r.david.murray, berker.peksag, Tim.Graham
2014-11-04 17:38:58	georg.brandl	set	messageid: <1415122738.96.0.735349785424.issue22796@psf.upfronthosting.co.za>
2014-11-04 17:38:58	georg.brandl	link	issue22796 messages
2014-11-04 17:38:58	georg.brandl	create