[Python-checkins] CVS: python/dist/src/Doc/lib libcookie.tex,1.2,1.3
A.M. Kuchling
python-dev@python.org
Sun, 20 Aug 2000 16:33:52 -0700
Update of /cvsroot/python/python/dist/src/Doc/lib
In directory slayer.i.sourceforge.net:/tmp/cvs-serv7304
Modified Files:
libcookie.tex
Log Message:
Strengthen the warning against using SerialCookie and SmartCookie.
(If they're security holes, should they be documented at all?)
Minor rewrites.
Index: libcookie.tex
===================================================================
RCS file: /cvsroot/python/python/dist/src/Doc/lib/libcookie.tex,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -r1.2 -r1.3
*** libcookie.tex 2000/08/19 16:54:57 1.2
--- libcookie.tex 2000/08/20 23:33:50 1.3
***************
*** 9,16 ****
The \module{Cookie} module defines classes for abstracting the concept of
! Cookies, an HTTP state management mechanism. It supports both simplistic
string-only cookies, and provides an abstraction for having any serializable
data-type as cookie value.
\begin{excdesc}{CookieError}
--- 9,20 ----
The \module{Cookie} module defines classes for abstracting the concept of
! cookies, an HTTP state management mechanism. It supports both simplistic
string-only cookies, and provides an abstraction for having any serializable
data-type as cookie value.
+ The module formerly strictly applied the parsing rules described in in
+ the \rfc{2109} and \rfc{2068} specifications. It has since been discovered
+ that MSIE 3.0x doesn't follow the character rules outlined in those
+ specs. As a result, the parsing rules used are a bit less strict.
\begin{excdesc}{CookieError}
***************
*** 19,28 ****
\end{excdesc}
-
- This used to be strict parsing based on the \rfc{2109} and \rfc{2068}
- specifications. I have since discovered that MSIE 3.0x doesn't
- follow the character rules outlined in those specs. As a
- result, the parsing rules here are less strict.
-
\begin{classdesc}{BaseCookie}{\optional{input}}
This class is a dictionary-like object whose keys are strings and
--- 23,26 ----
***************
*** 42,47 ****
This class derives from \class{BaseCookie} and overrides \method{value_decode}
and \method{value_encode} to be the \function{pickle.loads()} and
! \function{pickle.dumps}. Note that using this class is a security hole,
! as arbitrary client-code can be run on \function{pickle.loads()}.
\end{classdesc}
--- 40,50 ----
This class derives from \class{BaseCookie} and overrides \method{value_decode}
and \method{value_encode} to be the \function{pickle.loads()} and
! \function{pickle.dumps}.
!
! Do not use this class. Reading pickled values from a cookie is a
! security hole, as arbitrary client-code can be run on
! \function{pickle.loads()}. It is supported for backwards
! compatibility.
!
\end{classdesc}