Anonymous committed 00d6344

Added handling of invalid cookie names by responding with 400 Bad Request (#868, backport of r2175)

Comments (0)

Files changed (2)


             # Handle cookies differently because on Konqueror, multiple
             # cookies come on different lines with the same key
             if name.title() == 'Cookie':
-                self.simple_cookie.load(value)
+                try:
+                    self.simple_cookie.load(value)
+                except Cookie.CookieError:
+                    msg = "Illegal cookie name %s" % value.split('=')[0]
+                    raise cherrypy.HTTPError(400, msg)
         # Save original values (in case they get modified by filters)
         # This feature is deprecated in 2.2 and will be removed in 2.3.


             self.assertHeader('Set-Cookie', 'First=Dinsdale')
             self.assertHeader('Set-Cookie', 'Last=Piranha')
+            self.getPage("/cookies/single?name=Something-With:Colon",
+                [('Cookie', 'Something-With:Colon=some-value')])
+            self.assertStatus(400)
                          [('Cookie', 'First=Dinsdale;')])
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.