diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2014-09-16 22:25:57 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-09-16 22:25:57 (GMT) |
| commit | 637e4544afda57d52c81bddba5486bda9574e6b2 (patch) | |
| tree | d0a5479efbccc96fe8d9256b03769c083098db59 /Lib/test/test_http_cookies.py | |
| parent | 8fad1676a215bab3e61dccf0f1802ccb17a43a41 (diff) | |
| parent | 7d0b8f95e7c6cc70c1a636312099773376337d14 (diff) | |
| download | cpython-637e4544afda57d52c81bddba5486bda9574e6b2.zip cpython-637e4544afda57d52c81bddba5486bda9574e6b2.tar.gz cpython-637e4544afda57d52c81bddba5486bda9574e6b2.tar.bz2 | |
Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
Diffstat (limited to 'Lib/test/test_http_cookies.py')
| -rw-r--r-- | Lib/test/test_http_cookies.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index 1cfbe74..76e5e9c 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase): </script> """) + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = cookies.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + class MorselTests(unittest.TestCase): """Tests for the Morsel object.""" |