[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-20 Thread Roundup Robot
Roundup Robot added the comment: New changeset a065ab1c67a8 by Antoine Pitrou in branch 'default': Issue #22796: HTTP cookie parsing is now stricter, in order to protect against potential injection attacks. https://hg.python.org/cpython/rev/a065ab1c67a8 -- nosy: +python-dev ___

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-20 Thread Antoine Pitrou
Antoine Pitrou added the comment: Thank you, I've committed the patch to 3.5 now. -- resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-06 Thread Tim Graham
Tim Graham added the comment: Django's test suite doesn't reveal any regressions. All the changes there are expected as far as I can see. -- ___ Python tracker ___ _

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-05 Thread Antoine Pitrou
Antoine Pitrou added the comment: No, I meant functionality-wise. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscr

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-05 Thread Tim Graham
Tim Graham added the comment: Security-wise? I don't know, I haven't really been in the loop on the original issue. -- ___ Python tracker ___ ___

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-05 Thread Antoine Pitrou
Antoine Pitrou added the comment: Paul, Tim, do you think there's a real risk of regression with the proposed patch? -- stage: -> commit review versions: +Python 3.5 -Python 2.7, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-05 Thread Raymond Hettinger
Raymond Hettinger added the comment: The patch looks good. One nit, please change "items" to "typed_items" or somesuch. That will make it clear why there are 3-tuples instead of the traditional 2-tuple used for normal mappings. -- nosy: +rhettinger __

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Tim Graham
Tim Graham added the comment: Django's test suite passes with the proposed patch after some updates: https://github.com/django/django/pull/3455 -- ___ Python tracker ___ ___

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- nosy: +PaulMcMillan ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Antoine Pitrou
Antoine Pitrou added the comment: Well, if we want to become stricter, I don't it makes sense to stop at the middle of the road. In any case, here is a patch enabling strict parsing. -- keywords: +patch Added file: http://bugs.python.org/file37130/cookie_strict_parsing.patch __

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Georg Brandl
Georg Brandl added the comment: These are unknown attributes after a key=value pair. What this issue is about is accepting attributes *before* any key=value pair. -- ___ Python tracker ___

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Antoine Pitrou
Antoine Pitrou added the comment: Note that f81846c2b746 adds an explicit test for acceptance of invalid cookie strings ("test_bad_attrs"). -- ___ Python tracker ___ ___

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Antoine Pitrou
Antoine Pitrou added the comment: This qualification isn't really accurate: > The change for #16611 reintroduces "lax" parsing behavior that the security > fix [1] was supposed to prevent since the #16611 changes were committed *before* the security fix. -- __

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Antoine Pitrou
Antoine Pitrou added the comment: The security issue isn't easy to explain, it involves an elaborated set of services (browser, Web site...) each having a slightly different notion of cookie parsing to mount an attack allowing to bypass CSRF protection on certain Python-powered frameworks. It'

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Georg Brandl
Georg Brandl added the comment: Well, with this change you can again (e.g.) pass "Set-cookie: foo=bar" which isn't a valid cookie. It doesn't reintroduce the same vulnerability, but it will still silently consume invalid cookies (i.e. such with attribute-like tokens upfront) and return a see

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread R. David Murray
R. David Murray added the comment: This test still exists, so the change didn't cause it to trigger. What is the security bug? The commit doesn't say, and doesn't reference an issue number. So if that test still passes, what's the bug? -- ___ Pyt

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue22796] Support for httponly/secure cookies reintroduced lax parsing behavior

2014-11-04 Thread Tim Graham
New submission from Tim Graham: As noted in the comments of #22758 by Georg Brandle: * Django uses __init__(str()) roundtripping, which is not explicitly supported by the library, and worked by accident with previous versions. That it works again with 3.3+ is another accident, and a bug. (T