Message 79915 - Python tracker

Message79915

Author	vstinner
Recipients	noufal, vstinner
Date	2009-01-15.19:53:55
SpamBayes Score	0.0077512963
Marked as misclassified	No
Message-id	<1232049236.59.0.0738130759742.issue4860@psf.upfronthosting.co.za>
In-reply-to

Content
> What's wrong with < and >? >>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output() <script type="text/javascript"> <!-- begin hiding document.cookie = "Customer="</script>""; // end hiding --> </script> It allows HTML/Javascript injection. Well, Python 2.5 already displays a warning: /usr/lib/python2.5/Cookie.py:710: DeprecationWarning: Cookie/SmartCookie class is insecure; do not use it The right fix is maybe to remove deprecated and unsecure function!

Content

> What's wrong with < and >?

>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="</script>"";
        // end hiding -->
        </script>

It allows HTML/Javascript injection. Well, Python 2.5 already displays 
a warning:

/usr/lib/python2.5/Cookie.py:710: DeprecationWarning: 
Cookie/SmartCookie class is insecure; do not use it

The right fix is maybe to remove deprecated and unsecure function!

History
Date	User	Action	Args
2009-01-15 19:53:56	vstinner	set	recipients: + vstinner, noufal
2009-01-15 19:53:56	vstinner	set	messageid: <1232049236.59.0.0738130759742.issue4860@psf.upfronthosting.co.za>
2009-01-15 19:53:55	vstinner	link	issue4860 messages
2009-01-15 19:53:55	vstinner	create