[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior
Tim Graham
report at bugs.python.org
Tue Nov 4 17:47:43 CET 2014
New submission from Tim Graham:
As noted in the comments of #22758 by Georg Brandle:
* Django uses __init__(str()) roundtripping, which is not explicitly supported by the library, and worked by accident with previous versions. That it works again with 3.3+ is another accident, and a bug.
(The change for #16611 reintroduces "lax" parsing behavior that the security fix [1] was supposed to prevent.)
[1] https://hg.python.org/cpython/rev/d3663a0f97ed
----------
components: Library (Lib)
messages: 230637
nosy: Tim.Graham, berker.peksag, georg.brandl, pitrou, r.david.murray
priority: normal
severity: normal
status: open
title: Support for httponly/secure cookies reintroduced lax parsing behavior
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22796>
_______________________________________
More information about the Python-bugs-list
mailing list