Change eval(cookies) to json.loads(cookies)

k3oni / pydash

Small web-based monitoring dashboard for linux in Python and Django

663 stars 125 forks source link

Change eval(cookies) to json.loads(cookies) #20

Closed JordanMilne closed 10 years ago

JordanMilne commented 10 years ago

Per my comment at https://news.ycombinator.com/item?id=7225580, this fixes an RCE vulnerability in the cookie handling. If you rely on an attacker not being able to set cookies for security, you're going to have a bad time.

Also, eval(cookies) will choke on valid JSON. See http://stackoverflow.com/a/1083302

k3oni commented 10 years ago

Thanks for the follow up on this and the pull request.