[Python-checkins] CVS: python/dist/src/Doc/lib libcookie.tex,1.2,1.3

A.M. Kuchling python-dev@python.org
Sun, 20 Aug 2000 16:33:52 -0700 

Update of /cvsroot/python/python/dist/src/Doc/lib
In directory slayer.i.sourceforge.net:/tmp/cvs-serv7304

Modified Files:
	libcookie.tex 
Log Message:
Strengthen the warning against using SerialCookie and SmartCookie.
    (If they're security holes, should they be documented at all?)
Minor rewrites.


Index: libcookie.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libcookie.tex,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** libcookie.tex	2000/08/19 16:54:57	1.2
--- libcookie.tex	2000/08/20 23:33:50	1.3
***************
*** 9,16 ****
  
  The \module{Cookie} module defines classes for abstracting the concept of 
! Cookies, an HTTP state management mechanism. It supports both simplistic
  string-only cookies, and provides an abstraction for having any serializable
  data-type as cookie value.
  
  
  \begin{excdesc}{CookieError}
--- 9,20 ----
  
  The \module{Cookie} module defines classes for abstracting the concept of 
! cookies, an HTTP state management mechanism. It supports both simplistic
  string-only cookies, and provides an abstraction for having any serializable
  data-type as cookie value.
  
+ The module formerly strictly applied the parsing rules described in in
+ the \rfc{2109} and \rfc{2068} specifications.  It has since been discovered
+ that MSIE 3.0x doesn't follow the character rules outlined in those
+ specs.  As a result, the parsing rules used are a bit less strict.
  
  \begin{excdesc}{CookieError}
***************
*** 19,28 ****
  \end{excdesc}
  
- 
- This used to be strict parsing based on the \rfc{2109} and \rfc{2068}
- specifications.  I have since discovered that MSIE 3.0x doesn't
- follow the character rules outlined in those specs.  As a
- result, the parsing rules here are less strict.
- 
  \begin{classdesc}{BaseCookie}{\optional{input}}
  This class is a dictionary-like object whose keys are strings and
--- 23,26 ----
***************
*** 42,47 ****
  This class derives from \class{BaseCookie} and overrides \method{value_decode}
  and \method{value_encode} to be the \function{pickle.loads()} and 
! \function{pickle.dumps}. Note that using this class is a security hole,
! as arbitrary client-code can be run on \function{pickle.loads()}.
  \end{classdesc}
  
--- 40,50 ----
  This class derives from \class{BaseCookie} and overrides \method{value_decode}
  and \method{value_encode} to be the \function{pickle.loads()} and 
! \function{pickle.dumps}.  
! 
! Do not use this class.  Reading pickled values from a cookie is a
! security hole, as arbitrary client-code can be run on
! \function{pickle.loads()}.  It is supported for backwards
! compatibility.
! 
  \end{classdesc}