Issue 4860: js_output wrong for cookies with " characters
Created on 2009-01-06 21:44 by noufal, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| cookie.patch | noufal, 2009-01-06 21:44 | Patch to fix js_output for cookies with an unquoted " character | ||
| cookie-2.patch | vstinner, 2009-01-07 09:37 | |||
| issue4860.diff | orsenthil, 2009-04-01 23:33 | |||
| Messages (8) | |||
|---|---|---|---|
| msg79292 - (view) | Author: Noufal (noufal) | Date: 2009-01-06 21:44 | |
If a cookie is created with a " character in the content, the js_output
which is emitted is bad javascript. eg.
>>> import Cookie
>>> c=Cookie.Cookie('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
>>> print c
Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme; Version=1
>>> print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="WILE_E_COYOTE"; Path=/acme; Version=1";
// end hiding -->
</script>
>>>
Also, the test_cookie tests (test_load) explicitly checks for this
(wrong) output.
I have attached a patch that seems to fix this or at the very least
produces the same Cookie settings whether the cookie is set using the
header or using javascript (I've verified this on firefox on Linux).
|
|||
| msg79312 - (view) | Author: STINNER Victor (vstinner) *  |
Date: 2009-01-07 09:37 | |
The patch looks correct but it breaks the unit test: updated patch fixes Lib/test/test_cookie.py. |
|||
| msg79336 - (view) | Author: Noufal (noufal) | Date: 2009-01-07 15:18 | |
A lot of the cookie tests need to be updated. A separate bug was filed regarding this. http://bugs.python.org/issue3788. I'm working on that now and will apply your patch there as well. |
|||
| msg79339 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2009-01-07 15:25 | |
The characters <>& should also be escaped. |
|||
| msg79909 - (view) | Author: Noufal (noufal) | Date: 2009-01-15 18:12 | |
What's wrong with < and >? I can see the issues with ; though. |
|||
| msg79915 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2009-01-15 19:53 | |
> What's wrong with < and >?
>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="</script>"";
// end hiding -->
</script>
It allows HTML/Javascript injection. Well, Python 2.5 already displays
a warning:
/usr/lib/python2.5/Cookie.py:710: DeprecationWarning:
Cookie/SmartCookie class is insecure; do not use it
The right fix is maybe to remove deprecated and unsecure function!
|
|||
| msg85121 - (view) | Author: Senthil Kumaran (orsenthil) * |
Date: 2009-04-01 23:33 | |
Cookie.Cookie is deprecated in Py2k. In Py3k, it is http.cookies.SimpleCookie. The bug was present in Py3k, the attached patch fixes it. |
|||
| msg85149 - (view) | Author: Senthil Kumaran (orsenthil) * |
Date: 2009-04-02 03:04 | |
Because SimpleCookie class is still usable (that is not deprecated), it makes sense to back port to Py2.7. Applied the patches in revision 71030 and r71029. Thanks. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:43 | admin | set | github: 49110 |
| 2009-04-02 03:04:54 | orsenthil | set | status: open -> closed messages:
+ msg85149 |
| 2009-04-01 23:33:13 | orsenthil | set | files:
+ issue4860.diff nosy:
+ orsenthil assignee: orsenthil |
| 2009-01-15 19:53:55 | vstinner | set | messages: + msg79915 |
| 2009-01-15 18:12:29 | noufal | set | messages: + msg79909 |
| 2009-01-07 15:25:14 | vstinner | set | messages: + msg79339 |
| 2009-01-07 15:18:14 | noufal | set | messages: + msg79336 |
| 2009-01-07 09:37:19 | vstinner | set | files:
+ cookie-2.patch nosy: + vstinner messages: + msg79312 |
| 2009-01-06 21:44:10 | noufal | create | |