[issue24363] httplib fails to handle semivalid HTTP headers
Cory Benfield
report at bugs.python.org
Wed Jun 3 10:21:34 CEST 2015
Cory Benfield added the comment:
> It is obvious that this case could be treated as a folded (continuation) line. But in general I think it would be better to ignore the erroneous line, or to record it as a defect so that the server module or other user can check it.
Just to clarify, in an instance very similar to this one this would be *terrible* advice. The token that would be lost here is the 'Secure' field on the cookie, which is an extremely important token to have: if we don't correctly parse it, we run the risk of sending the cookie on plaintext connections.
Discarding data is the problem, and while discarding *less* data is an improvement, it would be good if we could resolve this problem in such a way that we'd have correctly parsed this header.
Generally speaking, if we treat these as continuation lines I think we have the best change of making a useful header out of this mess.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24363>
_______________________________________
More information about the Python-bugs-list
mailing list