[Python-Dev] Re: Cookie.py security

Barry A. Warsaw bwarsaw@beopen.com
Fri, 1 Sep 2000 13:54:16 -0400 (EDT) 

>>>>> "timo" ==   <timo@timo-tasi.org> writes:

    timo> Right now, the shortcut 'Cookie.Cookie()' returns an
    timo> instance of the SmartCookie, which uses Pickle.  Most extant
    timo> examples of using the Cookie module use this shortcut.

    timo> We could change 'Cookie.Cookie()' to return an instance of
    timo> SimpleCookie, which does not use Pickle.  Unfortunately,
    timo> this may break existing code (like Mailman), but there is a
    timo> lot of code out there that it won't break.

Not any more!  Around the Mailman 2.0beta5 time frame, I completely
revamped Mailman's cookie stuff because lots of people were having
problems.  One of the things I suspected was that the binary data in
cookies was giving some browsers headaches.  So I took great pains to
make sure that Mailman only passed in carefully crafted string data,
avoiding Cookie.py's pickle stuff.

I use marshal in the application code, and I go further to `hexlify'
the marshaled data (see binascii.hexlify() in Python 2.0).  That way,
I'm further guaranteed that the cookie data will consist only of
characters in the set [0-9A-F], and I don't need to quote the data
(which was another source of browser incompatibility).  I don't think
I've seen any cookie problems reported from people using Mailman
2.0b5.

[Side note: I also changed Mailman to use session cookies by default,
but that probably had no effect on the problems.]

[Side side note: I also had to patch Morsel.OutputString() in my copy
of Cookie.py because there was a test for falseness that should have
been a test for the empty string explicitly.  Otherwise this fails:

    c['foo']['max-age'] = 0

but this succeeds

    c['foo']['max-age'] = "0"

Don't know if that's relevant for Tim's current version.]

    timo> Also, people could still use the SmartCookie and
    timo> SerialCookie classes, but not they would be more likely to
    timo> read them in the documentation because they are "outside the
    timo> beaten path".

My vote would be to get rid of SmartCookie and SerialCookie and stay
with simple string cookie data only.  Applications can do fancier
stuff on their own if they want.

-Barry