diff options
author | Antoine Pitrou <solipsis@pitrou.net> | 2014-09-17 00:23:55 +0200 |
---|---|---|
committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-09-17 00:23:55 +0200 |
commit | 63a67c8ba16b229d253b1acb9ae24625c7e60dc2 (patch) | |
tree | d3e132eedea8896cba82876ce06744d723df33dc /Lib/test/test_http_cookies.py | |
parent | c43648c90782d5959d54e6e77eeb0c48ba86fcd6 (diff) | |
download | cpython-63a67c8ba16b229d253b1acb9ae24625c7e60dc2.tar.gz |
Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.
Reported by Sergey Bobrov.
Diffstat (limited to 'Lib/test/test_http_cookies.py')
-rw-r--r-- | Lib/test/test_http_cookies.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py index 1cfbe742e4..76e5e9c4da 100644 --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -179,6 +179,15 @@ class CookieTests(unittest.TestCase): </script> """) + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = cookies.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + class MorselTests(unittest.TestCase): """Tests for the Morsel object.""" |