Subject: python-cherrypy: Error 500 on invalid cookies
Package: python-cherrypy
Version: Return error 500 on bad cookies
Severity: normal
Tags: patch
ii python-cherrypy 2.3.0-1
When the browser sends an invalid cookie (with a colon ":"), cherrypy returns
the error "500 Internal Server Error" and saves the stack in the logs.
Upstream bug:
http://www.cherrypy.org/ticket/868
The upstream bug is about a new version CherryPy, however, the version 2.3.0 is
used by Debian. The attached patch applies on the Debian version. It just
ignores invalid cookies.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- ./cherrypy/_cphttptools.py.vanilla 2009-02-03 14:04:42.000000000 +0200
+++ ./cherrypy/_cphttptools.py 2009-02-03 16:20:13.000000000 +0200
@@ -200,7 +200,16 @@ class Request(object):
# Handle cookies differently because on Konqueror, multiple
# cookies come on different lines with the same key
if name.title() == 'Cookie':
- self.simple_cookie.load(value)
+ # Cookies with a colon (":") are invalid according to rfc2965
+ # and rfc2068. However if the browser send such a cookie, we
+ # want to ignore it and continue instead of returning an
+ # "500 Internal Server Error" error. More infos on:
+ # http://www.cherrypy.org/ticket/868
+ try:
+ self.simple_cookie.load(value)
+ except Cookie.CookieError, e:
+ cherrypy.log("Unable to load user's cookie. Cookie ignored.")
+
# Save original values (in case they get modified by filters)
# This feature is deprecated in 2.2 and will be removed in 2.3.
