diff options
| author | fs <devnull@localhost> | 2010-08-22 07:12:41 +0000 |
|---|---|---|
| committer | fs <devnull@localhost> | 2010-08-22 07:12:41 +0000 |
| commit | 2b5614f87515f35c4036afc9199ab88cbaa66c6b (patch) | |
| tree | 9c001bad1be7a1a3a57cc4ea6ea01dea4bf64ebe | |
| parent | 1f3a1ed9b9f4192f6e888a0c484dad8ef764ac0c (diff) | |
| download | cherrypy-2b5614f87515f35c4036afc9199ab88cbaa66c6b.tar.gz | |
Added handling of invalid cookie names by responding with 400 Bad Request (#868, backport of r2175)
| -rw-r--r-- | cherrypy/_cphttptools.py | 6 | ||||
| -rw-r--r-- | cherrypy/test/test_core.py | 4 |
2 files changed, 9 insertions, 1 deletions
diff --git a/cherrypy/_cphttptools.py b/cherrypy/_cphttptools.py index 25553e3b..2cf48ab0 100644 --- a/cherrypy/_cphttptools.py +++ b/cherrypy/_cphttptools.py @@ -200,7 +200,11 @@ class Request(object): # Handle cookies differently because on Konqueror, multiple # cookies come on different lines with the same key if name.title() == 'Cookie': - self.simple_cookie.load(value) + try: + self.simple_cookie.load(value) + except Cookie.CookieError: + msg = "Illegal cookie name %s" % value.split('=')[0] + raise cherrypy.HTTPError(400, msg) # Save original values (in case they get modified by filters) # This feature is deprecated in 2.2 and will be removed in 2.3. diff --git a/cherrypy/test/test_core.py b/cherrypy/test/test_core.py index 74661bb6..bbf0d3d3 100644 --- a/cherrypy/test/test_core.py +++ b/cherrypy/test/test_core.py @@ -894,6 +894,10 @@ class CoreRequestHandlingTest(helper.CPWebCase): ]) self.assertHeader('Set-Cookie', 'First=Dinsdale') self.assertHeader('Set-Cookie', 'Last=Piranha') + + self.getPage("/cookies/single?name=Something-With:Colon", + [('Cookie', 'Something-With:Colon=some-value')]) + self.assertStatus(400) else: self.getPage("/cookies/single?name=First", [('Cookie', 'First=Dinsdale;')]) |