Hi guys,
We just ran into an exception caused by the Cookie.py library's handling of
invalid keys in the HTTP_COOKIE header. If you have a key of say "///"
(slash is an illegal char), the cookie library simply raises a CookieError
and bombs out.
I'm not sure why this is default behaviour. Surely it should still return
the individual key=value pairs that *were* valid. What's the best way to get
around this?
My hack-patch was to move the cookie.load() call into the try/except in the
webapi.cookies() function, and catch CookieError as well as KeyError. Then
it'll call badrequest() -- instead of raising an uncaught exception -- if
the user gives us any illegal cookies.
But what's the better way of fixing this? The first solution that comes to
mind is subclassing SimpleCookie and having webapi.cookies() this
"SafeCookie" subclass instead. The SafeCookie overrides the __set method
with a try/except wrapper, doing nothing on invalid keys, but still setting
valid ones. Basically it's catching the CookieError at the "right" level.
Untested code snippet:
class SafeCookie(Cookie.SimpleCookie):
def __set(self, key, real_value, coded_value):
try:
Cookie.SimpleCookie.__set(self, key, real_value, coded_value)
except Cookie.CookieError:
# don't set if key was reserved or illegal
pass
But overriding this private __set method seems icky. Is there a better way?
(Apart from writing our own HTTP_COOKIE parser, which wouldn't be hard, but
seems like a bad idea.)
-Ben
--
Ben Hoyt, +64 21 331 841
http://www.benhoyt.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
