Lax cookie parsing in http.cookies could be a security issue when combined

with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov.
author: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
committer: Antoine Pitrou <solipsis@pitrou.net> 2014-09-16 22:23:55 (GMT)
commit: dad182c16e6c9d10267a659bd376ba3d10affd4f (patch)
tree: c70767003a273334c2c4bc9d4773c2a087beb97a /Misc
parent: 860c367c29eb557930099a7cc7fe297a259275f6 (diff)
download: cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.zip
cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.tar.gz
cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.tar.bz2
2 files changed, 5 insertions, 0 deletions
diff --git a/Misc/ACKS b/Misc/ACKS
index c183dc7..428fd01 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -117,6 +117,7 @@ Martin Bless
 Pablo Bleyer
 Erik van Blokland
 Eric Blossom
+Sergey Bobrov
 Finn Bock
 Paul Boddie
 Matthew Boedicker
diff --git a/Misc/NEWS b/Misc/NEWS
index d8e61c30..398ed29 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -37,6 +37,10 @@ Library
   strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
   ``uniformResourceIdentifier`` (URI).
 
+- Lax cookie parsing in http.cookies could be a security issue when combined
+  with non-standard cookie handling in some Web browsers.  Reported by
+  Sergey Bobrov.
+
 - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths
   before checking for a CGI script at that path.
author	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
committer	Antoine Pitrou <solipsis@pitrou.net>	2014-09-16 22:23:55 (GMT)
commit	dad182c16e6c9d10267a659bd376ba3d10affd4f (patch)
tree	c70767003a273334c2c4bc9d4773c2a087beb97a /Misc
parent	860c367c29eb557930099a7cc7fe297a259275f6 (diff)
download	cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.zip cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.tar.gz cpython-dad182c16e6c9d10267a659bd376ba3d10affd4f.tar.bz2