diff options
author | Guido van Rossum <guido@python.org> | 2014-09-16 22:45:36 (GMT) |
---|---|---|
committer | Guido van Rossum <guido@python.org> | 2014-09-16 22:45:36 (GMT) |
commit | c9cdd0ccadfaaac177ab7a866b979db3b073f660 (patch) | |
tree | 00d7284e501ec1c19e471bb15348e6d0ff035ae9 /Lib/test/test_cookie.py | |
parent | 038fac67c02d85df2d34f1092a51db31f758bb63 (diff) | |
download | cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.zip cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.gz cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.bz2 |
Lax cookie parsing in http.cookies could be a security issue when
combined with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
Diffstat (limited to 'Lib/test/test_cookie.py')
-rw-r--r-- | Lib/test/test_cookie.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_cookie.py b/Lib/test/test_cookie.py index 5370a8d..41ba60f 100644 --- a/Lib/test/test_cookie.py +++ b/Lib/test/test_cookie.py @@ -133,6 +133,15 @@ class CookieTests(unittest.TestCase): self.assertEqual(C['Customer']['version'], '1') self.assertEqual(C['Customer']['path'], '/acme') + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = Cookie.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + def test_main(): run_unittest(CookieTests) if Cookie.__doc__ is not None: |