Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
committer: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
commit: 7d0b8f95e7c6cc70c1a636312099773376337d14 (patch)
tree: e3062b5036879bd2a96db7f5a19b52c15d8033d4 /Misc
parent: 89e186f24ea6c10c39e90eb153bf714934be4e62 (diff)
download: cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.zip
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.gz
cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.bz2
2 files changed, 5 insertions, 0 deletions
diff --git a/Misc/ACKS b/Misc/ACKS
index eeefc81..d1ebba7 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -131,6 +131,7 @@ Martin Bless
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
index 1b72607..1f389f8 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,10 @@ Core and Builtins
 Library
 -------
 
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
+
 - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
   before checking for a CGI script at that path.
author	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
committer	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
commit	7d0b8f95e7c6cc70c1a636312099773376337d14 (patch)
tree	e3062b5036879bd2a96db7f5a19b52c15d8033d4 /Misc
parent	89e186f24ea6c10c39e90eb153bf714934be4e62 (diff)
download	cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.zip cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.gz cpython-7d0b8f95e7c6cc70c1a636312099773376337d14.tar.bz2