diff options
| author | R. David Murray <rdmurray@bitdance.com> | 2010-12-28 18:54:13 (GMT) |
|---|---|---|
| committer | R. David Murray <rdmurray@bitdance.com> | 2010-12-28 18:54:13 (GMT) |
| commit | e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12 (patch) | |
| tree | 5acbe67bba3c5dd2f939c9a45179207f8e903ff2 /Lib/http | |
| parent | 8aa7e999b5ab87cdbefe441649c223647875c110 (diff) | |
| download | cpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.zip cpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.tar.gz cpython-e05ca2aff4e7e3da133c2a2410e7d2c9bb3c1d12.tar.bz2 | |
#9824: encode , and ; in cookie values so that browsers don't split on them
There is a small chance of backward incompatibility here, but only for
non-SimpleCookie applications reading SimpleCookie generated cookies. Even
then, any such ap is likely to be handling escaped values already, and it would
take a fairly perverse implementation of unescaping to fail to unescape these
newly escaped chars, so the risk seems minimal.
Diffstat (limited to 'Lib/http')
| -rw-r--r-- | Lib/http/cookies.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py index fb9589c..93da627 100644 --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -173,6 +173,11 @@ _Translator = { '\033' : '\\033', '\034' : '\\034', '\035' : '\\035', '\036' : '\\036', '\037' : '\\037', + # Because of the way browsers really handle cookies (as opposed + # to what the RFC says) we also encode , and ; + + ',' : '\\054', ';' : '\\073', + '"' : '\\"', '\\' : '\\\\', '\177' : '\\177', '\200' : '\\200', '\201' : '\\201', |