_LegalCharsPatt in cookies.py includes illegal characters

[SimonBlanchard]

BPO	16362
Nosy	@bitdancer
Superseder	bpo-1210326: comma separated cookie values

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2012-10-30.13:37:31.811>
created_at = <Date 2012-10-30.07:07:29.257>
labels = ['type-bug', 'library']
title = '_LegalCharsPatt in cookies.py includes illegal characters'
updated_at = <Date 2012-10-31.08:02:56.819>
user = 'https://bugs.python.org/SimonBlanchard'

bugs.python.org fields:

activity = <Date 2012-10-31.08:02:56.819>
actor = 'Simon.Blanchard'
assignee = 'none'
closed = True
closed_date = <Date 2012-10-30.13:37:31.811>
closer = 'r.david.murray'
components = ['Library (Lib)']
creation = <Date 2012-10-30.07:07:29.257>
creator = 'Simon.Blanchard'
dependencies = []
files = []
hgrepos = []
issue_num = 16362
keywords = []
message_count = 5.0
messages = ['174183', '174210', '174262', '174263', '174267']
nosy_count = 3.0
nosy_names = ['grahamd', 'r.david.murray', 'Simon.Blanchard']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '1210326'
type = 'behavior'
url = 'https://bugs.python.org/issue16362'
versions = ['Python 2.7', 'Python 3.3']

[SimonBlanchard]

_LegalCharsPatt  = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"

The above regex in cookies.py includes the the comma character but RFC 6265 https://tools.ietf.org/html/rfc6265 section 4.1.1 says:

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash

That is, no comma.

[bitdancer]

This is a pragmatic choice. Try searching the tracker for 'cookie comma', and read about the lack of adherence to cookie RFCs by the major browsers. Specifically, I think bpo-1210326 is relevant here, and am closing this as a duplicate of that issue. If you disagree, I think we'll need examples from real-world browser/server situations where this is an incorrect choice in order to consider changing it.

You will note that the comment block before that equate mentions that it does not follow the RFCs for pragmatic reasons.

[SimonBlanchard]

I have a real world example. Using Apache, mod_wsgi and Django. Given this in the META dict:

'HTTP_COOKIE': 'yaean_djsession=23ab7bf8b260cbb2f2bc80b1c1fd98fa, yaean_yasession=ff2a3030ee3f428f91c6f554a63b459c',

Django via the Python cookie api gives this:

COOKIES:{'yaean_djsession': '23ab7bf8b260cbb2f2bc80b1c1fd98fa,',
'yaean_yasession': 'ff2a3030ee3f428f91c6f554a63b459c'},

Note the comma on the end of the cookie named yaean_djsession in COOKIES. It should not be there. In this case session lookup fails.

[grahamd]

For that cookie string to be valid in the first place, shouldn't it have been sent as:

'HTTP_COOKIE': 'yaean_djsession=23ab7bf8b260cbb2f2bc80b1c1fd98fa; yaean_yasession=ff2a3030ee3f428f91c6f554a63b459c'

IOW, semicolon as separator.

What client generated that HTTP Cookie header with commas in it?

Only way I could see you ending up with that, if client isn't broken, is if when sent by application originally it sent it as only one Set-Cookie response header and had tried to set both values at same time with comma as separator. Then when it has come back from client like that to application, the cookie parser has then done the wrong thing on it.

If this is a browser client, check the browser cookie cache to see what it is stored as in there.

[SimonBlanchard]

'HTTP_USER_AGENT': 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)',

It's the Baidu spider according to the user agent string. (Baidu is the biggest search engine in China.) The serving app is Django + mod_wsgi + Apache - which I think must be OK. I guess the Baidu spider is broken?

Thanks