git.ipfire.org Git - thirdparty/tornado.git/commit

author	Ben Darnell <ben@bendarnell.com>
	Fri, 30 Sep 2016 15:39:29 +0000 (23:39 +0800)
committer	Ben Darnell <ben@bendarnell.com>
	Fri, 30 Sep 2016 16:35:37 +0000 (00:35 +0800)
commit	cb247cb8db7903fda0ca26531c1526e895e10800
tree	3c65ed96f791740cba305290538d93578be1f530	tree
parent	f43ec69f13dbcdc1fd03cd80ea77eed2623c5820	commit \| diff

httputil: Rewrite cookie parsing

Move from the python standard library to a parsing function copied from
Django. This parser more closely matches browser behavior. The primary
motivation is that differences between server-side and browser cookie
parsing can lead to an XSRF bypass, as in
https://hackerone.com/reports/26647. A secondary benefit is that this
makes it possible to work with cookie headers containing cookies that
are invalid according to the spec, which is a surprisingly common
request.

Closes #1851
Closes #633
Closes #1434
Closes #1176

tornado/httputil.py		diff \| blob \| blame \| history
tornado/test/httputil_test.py		diff \| blob \| blame \| history
tornado/test/web_test.py		diff \| blob \| blame \| history