Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 120beb6

Browse files
akuchlingakuchling
committed
Strengthen the warning against using SerialCookie and SmartCookie.
 (If they're security holes, should they be documented at all?) Minor rewrites.
1 parent 6aa92c5 commit 120beb6

1 file changed

Lines changed: 12 additions & 9 deletions

File tree

Doc/lib/libcookie.tex

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,22 +8,20 @@ \section{\module{Cookie} ---
88

99

1010
The \module{Cookie} module defines classes for abstracting the concept of
11-
Cookies, an HTTP state management mechanism. It supports both simplistic
11+
cookies, an HTTP state management mechanism. It supports both simplistic
1212
string-only cookies, and provides an abstraction for having any serializable
1313
data-type as cookie value.
1414

15+
The module formerly strictly applied the parsing rules described in in
16+
the \rfc{2109} and \rfc{2068} specifications. It has since been discovered
17+
that MSIE 3.0x doesn't follow the character rules outlined in those
18+
specs. As a result, the parsing rules used are a bit less strict.
1519

1620
\begin{excdesc}{CookieError}
1721
Exception failing because of \rfc{2109} invalidity: incorrect
1822
attributes, incorrect \code{Set-Cookie} header, etc.
1923
\end{excdesc}
2024

21-
22-
This used to be strict parsing based on the \rfc{2109} and \rfc{2068}
23-
specifications. I have since discovered that MSIE 3.0x doesn't
24-
follow the character rules outlined in those specs. As a
25-
result, the parsing rules here are less strict.
26-
2725
\begin{classdesc}{BaseCookie}{\optional{input}}
2826
This class is a dictionary-like object whose keys are strings and
2927
whose values are \class{Morsel}s. Note that upon setting a key to
@@ -41,8 +39,13 @@ \section{\module{Cookie} ---
4139
\begin{classdesc}{SerialCookie}{\optional{input}}
4240
This class derives from \class{BaseCookie} and overrides \method{value_decode}
4341
and \method{value_encode} to be the \function{pickle.loads()} and
44-
\function{pickle.dumps}. Note that using this class is a security hole,
45-
as arbitrary client-code can be run on \function{pickle.loads()}.
42+
\function{pickle.dumps}.
43+
44+
Do not use this class. Reading pickled values from a cookie is a
45+
security hole, as arbitrary client-code can be run on
46+
\function{pickle.loads()}. It is supported for backwards
47+
compatibility.
48+
4649
\end{classdesc}
4750

4851
\begin{classdesc}{SmartCookie}{\optional{input}}

0 commit comments

Comments
 (0)