Changes by Tim Pierce twpie...@gmail.com:
--
nosy: +Tim Pierce
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
Python-bugs-list
Roundup Robot added the comment:
New changeset 710cdba13323 by Benjamin Peterson in branch '3.2':
allow square brackets in cookie values (closes #22931)
https://hg.python.org/cpython/rev/710cdba13323
New changeset c7b3a50a2f01 by Benjamin Peterson in branch '3.3':
merge 3.2 (#22931)
Demian Brecht added the comment:
This needs a review from the people who created and applied the security
patch.
+ Guido (committed https://hg.python.org/cpython/rev/9e765e65e5cb)
--
nosy: +gvanrossum
___
Python tracker rep...@bugs.python.org
R. David Murray added the comment:
This needs a review from the people who created and applied the security patch.
Demian, did you add them to nosy already?
Since this is a regression I'm going to mark it as a release blocker so
Benjamin can decide whether or not it is important enough to go
Tim Pierce added the comment:
Adding Python 2.7 to the affected versions (from #23341 which was closed as a
duplicate of this bug). We are very interested to know whether this will be
fixed in a Python 2.7 patch as well.
--
nosy: +twpierce
versions: +Python 2.7
Changes by Demian Brecht demianbre...@gmail.com:
--
stage: patch review - commit review
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
Changes by Demian Brecht demianbre...@gmail.com:
Added file: http://bugs.python.org/file38773/issue22931_2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
Tim Graham added the comment:
Will this regression be fixed in Python 2.7, 3.2, and 3.3? If not, Django may
need to vendor Python's cookie class to workaround this bug to prevent users
from losing sessions and/or being unable to login to Django powered sites as
reported in
Demian Brecht added the comment:
As I understand it, the change should also be applied to security releases
as the regression manifested by a security related patch being applied.
That said, there may be some debate as there apparently isn't much (if
anything) in the way of precedence here.
Changes by Tim Graham timogra...@gmail.com:
--
nosy: +Tim.Graham
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
Python-bugs-list
Changes by Demian Brecht demianbre...@gmail.com:
Removed file: http://bugs.python.org/file38522/issue22931_1.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
Demian Brecht added the comment:
Thanks for the report Mark, updating this patch to be more backwards compatible
was on my to-do list. I've attached a new patch that simply adds the new
characters to the legal value set.
It does look like that's the commit that introduced this issue, but the
Changes by Demian Brecht demianbre...@gmail.com:
Added file: http://bugs.python.org/file38525/issue22931_1.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
Mark Hughes added the comment:
This is also an issue with Python 2.7.9 but not 2.7.8. There were various
cookie related fixes in 2.7.9 which could have revealed this issue. Maybe this
one?
https://hg.python.org/cpython/rev/9e765e65e5cb
--
nosy: +Mark Hughes
Mark Hughes added the comment:
We experimented with a version of the patch for 2.7.9.
One issue we immediately noticed is that even though disallowed by the spec the
use of commas in cookie values is widespread so we needed to add \, to the
_LEGAL_VALUES_PATT.
--
Changes by Berker Peksag berker.pek...@gmail.com:
--
nosy: +berker.peksag
stage: - patch review
versions: -Python 3.3, Python 3.6
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
Changes by Dan LaMotte lamott...@gmail.com:
--
nosy: +dlamotte
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
Python-bugs-list
Demian Brecht added the comment:
Ping for review/commit.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
Python-bugs-list mailing
Waldemar Parzonka added the comment:
Thanks for taking a look into that.
And yes the behaviour when invalid value is encountered is bit weird as the
rest of the cookie is being silently ignored which is probably less than ideal
in most cases.
Just wonder if there is any easy way of making
Demian Brecht added the comment:
I do think it should be a little more permissive when parsing cookies. I've
created #22983 to address that as to not conflate this issue, which the
attached patch does address.
--
___
Python tracker
Demian Brecht added the comment:
Err, sorry, I entirely misunderstood the problem. The invalid characters are
correct ([ = 5B, which indeed is illegal, I wasn't paying close enough
attention to the hex values in the ABNF). It's the fact that the valid
key/value pairs after the invalid one are
Demian Brecht added the comment:
Now I've confused myself and my first impression was correct. For some reason,
my brain was thinking %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E was the
exclusion list for some reason (which is obviously horribly wrong).
So my first observation was correct in
Demian Brecht added the comment:
Attached patch to fix the issue as reported.
Something interesting that came out of this though is that due to the regex
expression, if there's an invalid character in one of the cookie-octets, the
rest of the cookie is ignored. I would assume that it should
Changes by Demian Brecht demianbre...@gmail.com:
--
nosy: +demian.brecht
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
Demian Brecht added the comment:
There could be some history behind this that I'm unaware of that I'm not
familiar with.
From what I can tell, this issue is simply due to the [ character not being
in _LegalCharsPatt (http/cookies.py). _LegalCharsPatt actually seems quite a
bit more
New submission from Waldemar Parzonka:
There seems to be weird behaviour in BaseCookie.load() when cookie that has '['
in one of the values is being loaded.
There is no exception being thrown as the key is still legal but the cookie is
not getting loaded properly and everything that was after
Changes by R. David Murray rdmur...@bitdance.com:
--
nosy: +r.david.murray
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22931
___
___
27 matches
Mail list logo