id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36547	Construction of a cookie using user-supplied input	pTr	pTr	"In the following cases, a cookie is constructed for a Flask response using user input. The first uses set_cookie, and the second sets a cookie's raw value through the set-cookie header.


{{{
from flask import request, make_response


@app.route(""/1"")
def set_cookie():
    resp = make_response()
    resp.set_cookie(request.args[""name""], # BAD: User input is used to set the cookie's name and value
                    value=request.args[""name""])
    return resp


@app.route(""/2"")
def set_cookie_header():
    resp = make_response()
    resp.headers['Set-Cookie'] = f""{request.args['name']}={request.args['name']};"" # BAD: User input is used to set the raw cookie header.
    return resp
}}}



https://en.wikipedia.org/wiki/Session_fixation"	New feature	closed	Uncategorized	5.2	Normal	invalid			Unreviewed	0	0	0	0	0	0