Lax cookie parsing in http.cookies could be a security issue when

combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Guido van Rossum <guido@python.org> 2014-09-16 22:45:36 (GMT)
committer: Guido van Rossum <guido@python.org> 2014-09-16 22:45:36 (GMT)
commit: c9cdd0ccadfaaac177ab7a866b979db3b073f660 (patch)
tree: 00d7284e501ec1c19e471bb15348e6d0ff035ae9 /Misc
parent: 038fac67c02d85df2d34f1092a51db31f758bb63 (diff)
download: cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.zip
cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.gz
cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.bz2
2 files changed, 4 insertions, 0 deletions
diff --git a/Misc/ACKS b/Misc/ACKS
index f9a4426..1ca0479 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -136,6 +136,7 @@ Martin Bless
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
index e5f8f76..2907c1c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,9 @@ Core and Builtins
 
 Library
 -------
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
 
 - Issue #21147: sqlite3 now raises an exception if the request contains a null
   character instead of truncate it.  Based on patch by Victor Stinner.
author	Guido van Rossum <guido@python.org>	2014-09-16 22:45:36 (GMT)
committer	Guido van Rossum <guido@python.org>	2014-09-16 22:45:36 (GMT)
commit	c9cdd0ccadfaaac177ab7a866b979db3b073f660 (patch)
tree	00d7284e501ec1c19e471bb15348e6d0ff035ae9 /Misc
parent	038fac67c02d85df2d34f1092a51db31f758bb63 (diff)
download	cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.zip cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.gz cpython-c9cdd0ccadfaaac177ab7a866b979db3b073f660.tar.bz2