From 729675e81fba6465252aa301ceabe4ec6f54a267 Mon Sep 17 00:00:00 2001
From: spaceone <spaceone@users.noreply.github.com>
Date: Fri, 18 Sep 2015 10:02:47 +0200
Subject: [PATCH 1/2] Fix remote code execution vulnerability

If ptlogin2.qq.com is evil it is able to execute code on your clients.

SmartCookie as well as SerialCookie are vulnerable to code injection in python2.
For example, the following cookie header would shutdown your client:
Set-Cookie: foo="cposix\012_exit\012p1\012(I1\012tp2\012Rp3\012."
---
 pyqq/api.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyqq/api.py b/pyqq/api.py
index b4ec96f..4705be2 100644
--- a/pyqq/api.py
+++ b/pyqq/api.py
@@ -4,7 +4,7 @@
 import time
 from rest import Get,Post
 from algorithm import pwd_encode,get_clientid,get_msgid
-from  Cookie import SmartCookie as Cookie
+from  Cookie import SimpleCookie as Cookie
 from utils import getcookiestr
 import urllib
 import json 
@@ -333,4 +333,4 @@ def testQQ(self):
 if __name__ == '__main__':
 	unittest.main()
 	
-		
\ No newline at end of file
+		

From 00c2e9496c2336fd3cbfdd0528c1cdca61486379 Mon Sep 17 00:00:00 2001
From: spaceone <spaceone@users.noreply.github.com>
Date: Fri, 18 Sep 2015 10:11:52 +0200
Subject: [PATCH 2/2] Update utils.py

not vulnerable - but better change this, too.
---
 pyqq/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyqq/utils.py b/pyqq/utils.py
index 1e0da5f..6534f9c 100644
--- a/pyqq/utils.py
+++ b/pyqq/utils.py
@@ -1,6 +1,6 @@
 import unittest
 import unittest
-from  Cookie import SmartCookie as Cookie
+from  Cookie import SimpleCookie as Cookie
 
 def getcookiestr(cookie):
 	items = []
@@ -18,4 +18,4 @@ def test_cookie(self):
 		print getcookiestr(cookie)			
 if __name__ == '__main__':
 	unittest.main()
-		
\ No newline at end of file
+