summaryrefslogtreecommitdiffstats
path: root/Doc/lib
diff options
context:
space:
mode:
authorAndrew M. Kuchling <amk@amk.ca>2000-08-20 23:33:50 (GMT)
committerAndrew M. Kuchling <amk@amk.ca>2000-08-20 23:33:50 (GMT)
commit120beb6b6711b824ec637feb53e555e3f3cfb4cf (patch)
tree466187e005b5144b56e0dff446ffd69c32748c94 /Doc/lib
parent6aa92c5093143291c6a6cbbca51019d00bfdf45b (diff)
downloadcpython-120beb6b6711b824ec637feb53e555e3f3cfb4cf.zip
cpython-120beb6b6711b824ec637feb53e555e3f3cfb4cf.tar.gz
cpython-120beb6b6711b824ec637feb53e555e3f3cfb4cf.tar.bz2
Strengthen the warning against using SerialCookie and SmartCookie.
(If they're security holes, should they be documented at all?) Minor rewrites.
Diffstat (limited to 'Doc/lib')
-rw-r--r--Doc/lib/libcookie.tex21
1 files changed, 12 insertions, 9 deletions
diff --git a/Doc/lib/libcookie.tex b/Doc/lib/libcookie.tex
index 85de33f..e1bc09a 100644
--- a/Doc/lib/libcookie.tex
+++ b/Doc/lib/libcookie.tex
@@ -8,22 +8,20 @@
The \module{Cookie} module defines classes for abstracting the concept of
-Cookies, an HTTP state management mechanism. It supports both simplistic
+cookies, an HTTP state management mechanism. It supports both simplistic
string-only cookies, and provides an abstraction for having any serializable
data-type as cookie value.
+The module formerly strictly applied the parsing rules described in in
+the \rfc{2109} and \rfc{2068} specifications. It has since been discovered
+that MSIE 3.0x doesn't follow the character rules outlined in those
+specs. As a result, the parsing rules used are a bit less strict.
\begin{excdesc}{CookieError}
Exception failing because of \rfc{2109} invalidity: incorrect
attributes, incorrect \code{Set-Cookie} header, etc.
\end{excdesc}
-
-This used to be strict parsing based on the \rfc{2109} and \rfc{2068}
-specifications. I have since discovered that MSIE 3.0x doesn't
-follow the character rules outlined in those specs. As a
-result, the parsing rules here are less strict.
-
\begin{classdesc}{BaseCookie}{\optional{input}}
This class is a dictionary-like object whose keys are strings and
whose values are \class{Morsel}s. Note that upon setting a key to
@@ -41,8 +39,13 @@ and \method{value_encode} to be the identity and \function{str()} respectively.
\begin{classdesc}{SerialCookie}{\optional{input}}
This class derives from \class{BaseCookie} and overrides \method{value_decode}
and \method{value_encode} to be the \function{pickle.loads()} and
-\function{pickle.dumps}. Note that using this class is a security hole,
-as arbitrary client-code can be run on \function{pickle.loads()}.
+\function{pickle.dumps}.
+
+Do not use this class. Reading pickled values from a cookie is a
+security hole, as arbitrary client-code can be run on
+\function{pickle.loads()}. It is supported for backwards
+compatibility.
+
\end{classdesc}
\begin{classdesc}{SmartCookie}{\optional{input}}